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Chapter  1 
Introduction 


We  widi  to  formally  verify  the  correctness  of  computer  programs  that  use 
real  artlnnetic  (hereinafter  referred  to  as  "mathematical  programs'  ).  The 
real  number  type  implemented  on  a  finite  computer  is  not  the  same  as  the 
ideal,  mathematical  real  number  type  because  a  finite  machine  can  only 
represent  finitely  many  different  real  mun\>ers.  whereas  there  are  infinitely 
many  ideal  real  numbers. 

One  of  the  major  problems  encountered  in  trying  to  verify  mathematical 
programs  is  that  the  mathematical  properties  of  real  arithmetic  operations 
in  computers  are  much  more  complicated  and  much  harder  to  work  with 
than  the  mathematical  properties  of  the  corresponding  ideal  mathematical 
operations.  For  example,  ideal  real  addition  is  associative;  floating  point 
real  addition  is  not.  How  can  we  handle  this  difficulty? 

One  way  that  might  come  to  mind  is  to  "pretend"  that  the  machine  reals 
are  the  mine  as  the  ideal  reals.  Strictly  speaking,  this  is  not  true.  However, 
this  is  what  is  done  for  programs  whic  h  use  integer  arithmetic.  Why  is  it 
OK  for  integer  progiams?  If  we  verify  a  statement  about  an  integer  program 
like  “on  any  input  n.  flit'  program  will  terminate-  and  return  it2"  based  on 
the  assumption  that  the  machine  integers  are  the  same  as  the  ideal  integers, 
we  will  actually  have  established  that  on  any  input  n  that  is  representable 
in  the  nun  bine  the  program  is  running  on.  the  program  will  either  cause  an 
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overflow  or  will  terminate  and  return  n'.  This  is  because  integer  arithmetic 
in  finite  machines  is  identical  to  ideal  integer  arithmetic  when  out  ■r. flow  dot  s 
not  occur.  Unfortunately,  the  same  is  not  true  of  machine  real  arithmetic. 
Machine  real  arithmetic  can  also  deviate*  from  ideal  arithmetic  by  underflow 
or  roundoff.  Thus,  if  we  verify  a  statement  like  "on  any  input  .r  rf  0.  the 
program  will  terminate  and  return  1  /./•"  based  on  the  assumption  that 
the  machine  reals  are  the  same  as  the  ideal  reals,  we  will  actually  have 
established  that  on  any  input  ./•  that  is  representable  in  the  machine  the 
program  is  running  on,  the  program  will  terminate  and  return  l/.r  if  no 
overflow,  underflow  or  roundoff  occurs.  Since  roundoff  occurs  much  more 
frequently  in  real  arithmetic  than  overflow  occurs  in  integer  arithmetic,  we 
have  established  a  much  weaker  statement.  In  fact,  the  statement  we  have 
actually  established  is  so  weak  that  it  is  useless.  Thus,  whatever  axioms 
we  assume  about  macliine  real  numbers,  our  assumptions  must  recognize* 
at  least  some  of  the  differences  between  machine  reals  and  ideal  reals. 

We  could  formulate  a  collection  of  axioms  which  are  satisfied  by  all  imple¬ 
mentations  of  real  numbers  on  finite  machines,  or  at  least  all  implemen¬ 
tations  in  a  certain  general  class,  like  machines  that  use  binary  floating 
point  arithmetic.  Such  an  axiom  system  would  have  to  incorporate  some 
unspecified  constants  (e.g.  tlu*  number  of  bits  of  mantissa  and  exponent 
in  the  case  of  binary  floating  point  arithmetic)  in  order  to  be  valid  on  ma¬ 
chines  of  various  sizes.  One  could  then  verify  properties  like  “on  any  input 
x  representable  on  the  machine,  the  program  will  terminate  and  return  the 
square  root  of  a-  correct  to  t  decimal  places"  where  /  would  be  some  expres¬ 
sion  involving  the  unspecified  constants.  Har  ing  done  such  a  verification, 
given  a  machine,  we  could  determine  the  values  of  the*  constants  for  that 
particular  machine,  and  get  a  lower  bound  on  the  number  of  decimal  places 
of  accuracy  (by  plugging  the  value's  of  the  constants  into  f  and  evaluating 
it).  This  is  the  kind  of  verification  one  would  really  like  to  do.  but  it  is 
very  difficult.  The  difficulty  comes  primarily  from  the  fact  that  one  must 
perform  complicated  numerical  analyses  to  get  such  a  hard  bound  on  the 
number  of  decimal  places  of  accuracy. 

What  we  have  attempted  to  do  with  the  Theory  of  Asymptotic  Computa¬ 
tion  is  to  "factor  out"  the  hard  numerical  details.  Let  s  return  for  a  moment 
to  the  case  of  stating  axioms  in  terms  of  unspecified  constants  about  the 


machine  *  accuracy.  Wed  like  11  to  lie  the  case  that  it  we  ] » 1 1 1  u,  111  values  o{ 
these  constants  corresponding  to  more  and  more  accurate  machines  (e.g. 
larger  and  huger  numhers  of  I ut s  for  the  mailt  issa  and  exponent  in  the  case 
of  binary  floating  point  arithmetic),  the  value  of  the  term  t  goes  to  tx:.  In 
other  words,  running  the  program  on  more  and  more  accurate  machines 
gives  better  and  better  accuracy  in  the  result  computed  by  the  program. 
The  idea  of  the  theory  of  asymptotic  computation  is  to  develop  techniques 
to  piove  that  the  accuracy  of  the  program  goes  to  :v  as  the  accuracy  of 
the  underlying  machine  goes  to  _v .  without  having  to  show  haw  fa.<t  this 
convergence  happens,  which  is  where  mist  of  the  messy  numerical  analysis 
comes  in. 

The  theory  of  asymptotic  computation  is  essentially  a  general  formalization 
of  the  notions  of  "accuracy"  and  of  .accuracy  "going  to  >c  . 

In  Chaptei  we  describe  the  Ihe.uv  of  Asymptotic  Computation.  This 
chapter  includes- 

•  the  programming  language  we  are  using  tor  specifying  algorithms 

•  a  semantics  fot  tla-  language 

•  the  definition  of  what  it  mean-  for  a  program  to  satisfy  a  certain 
input /  out  put  specifier  i  ion  a.-ymptot  ieally. 

In  Chapter  3  we  giv<  a  formulation  of  r he  Theory  ill  Nonstandard  Matin' 
unities.  1  his  iormulation  makes  t  lie  definitions  less  complicated  and  more 
intuitive. 

In  Chapter  4  we  apply  the  formulation  of  Chapter  3 
find  toots  of  a  real  valued  function. 


to  verily  a  program  to 


Chapter  2 

A  Mathematical  Theory  of 
Asymptotic  Computation 


2.1  A  Motivating  Example 


We  will  explain  the  Theory  oy  first  considering  a  very  simple  program.  We 
will  give  a  semantics  for  the  program,  state  what  it  means  for  the  program 
to  be  asymptotically  correct,  and  prove  it  asymptotically  correct  We  will 
then  obtain  the  Theory  of  Asymptotic  Computation  as  a  generalization  of 
this  example. 

The  program  we  will  consider  is  a  program  to  sum  3  real  numlx  .s.  The 
3  numbers  to  be  summed  will  be  given  to  the  program  as  the  values  of  3 
variables.  A,  B  and  C.  The  output  will  be  stored  in  a  variable  RESULT  . 
Here  is  the  program: 

10  RESULT  :=  A  +  B; 

20  RESULT  :=  RESULT  +  C: 

30  END; 

What  do  we  mean  by  “asymptotic  correctness'  for  this  program,  and  how 
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Would  we  prov  e  ii  :i:  vmptot  leallv  I'lifm'l'.’  First  of  nil.  in  order  to  prove 
anything  n I >oiti  ■.  program  we  tuns t  represent  it  a s  n  mat hemat ical  object. 
\  any  point  dm  in.tr,  a  possible  "run  '  of  th<-  program.  either: 

!.  eontrol  is  at  one  of  the  three  statements  in  the  program,  with  some 
-  noset  of  !  he  variable-  assigned  real  number  values,  or 

-on  e  kind  of  ptiou  o-.r  overflow1,  has  occurred  and  the  program 
ha.-  t emanate,  1  a huormahv. 

]  ::us.  the  c:‘*ir«  liistoiy  of  a  inn  can  be  expressed  by  giving  tiie  ( finite  I 

•  ei ; , inner  of  "-tate.  the  piograiu  has  passed  through,  whore  by  "state 
,vr  mean  a  statement  numlier  and  an  assignment  of  some  variables  to  real 
numbers,  and  telling  whether  an  exception  has  occurred  or  not.  We  will 
tiii< »  it  c< uiven.ent  to  incorporate  both  of  these  pieces  of  information  into 
a  single  fini*e  sequence  <  aeh  of  whose  entries  is  either  a  state  or  a  distill- 
•.vti'hed  > •lemem  '!  which  stand*  for  the  occurrence  of  an  exception.  We 
-an  '  1  ink  "f  the  entries  in  such  ;  sequence  as  events,  with  ti  state  s  being 

•  hough*  of  a.  tic  "event"  of  going  into  state  s.  and  !  being  thought  of  as 

i  vein  ot  an  e\. •<•],,  ion  occurring.  The  events  occur  in  the  sequence  in 
oi  <!ei  m  winch  the;,  occtined.  We  will  call  such  a  sequence  a  tract  of 
■he  program.  Flic  collection  of  all  traces  which  could  occur  during  any  run 
■  >f  '  •  program  defines  the  semantics  of  the  program's  execution.  We  wifi 
enh  'Ueh  a  collect  ion  of  traces  an  <  rent  .<y.<ft:in  over  the  set  of  states.  We 
v.  !!  1 1 'preset 1 1  the  program  as  an  event  system.  Note  that  such  an  <  vein 
-y  'em  /  is  always  nonempty  i  it  contains  tit  least  () .  the  sequence  of  events 
■'■’.iicli  have  occurred  before  anything  at  till  lias  happened!,  and  it  is  alway- 
•1  >sed  nudi'i  nut  ial  segment .  i.e.  'n  t  T.  Vr .  if  r  <  u  then  re  T.  Set.,  of  finite 
.•  ij'ienns  having  1 1 1 .  ■  two  properties  are  called  tret*  of  finite  srqnt  tt<<  s. 

\\  hat  are  the  possible  *rares  of  the  above  program?  Let  s  first  answer  (In¬ 
quest  ion  for  the  ea-e  m  which  the  machine  real  number  type  is  exactlv 
the  same  as  the  ideal  on!  number  type.  We  will  denote  a  state  bv  an  n 
tuple  cond-i  mg  of  a  statement  number  and  a  sequence  of  variable  bindings 
to  describe  the  assignment  of  variables.  A  variabh  binding  will  just  be  a 
v.anable  name  followed  by  an  ai  row  and  the  value  that  the  variable  is  bound 


to.  If  a  vaiiable  <1.  >es  not  appear  in  the  list  of  bindings,  it  is  not  assigned  a 
value  by  the  state. 

As  noted  above,  the  empty  sequence,  {),  is  a  trace.  We  assume  that  A,  B 
and  C  are  defined  whenever  the  program  is  started  up,  but  their  values  can 
be  anything,  and  RESULT  may  or  may  not  be  defined.  Also,  control  must 
initially  be  at  statement  10.  Thus,  all  sequences  of  the  form 

({10.  A  -'t-  J'u- B  .i'i.C  =>  x2)) 


((10.  A  ^  r,i.  B  =»  x,,C  =»  x2,  RESULT  =»  w)) 


will  be  traces,  and  no  other  sequences  of  length  1  will  be  traces.  From 
statement  10  the  program  must  go  to  statement  20,  with  the  new  value  of 
RESULT  being  the  sum  of  the  old  values  of  A  and  B  (values  of  A,  B,  and  C 
unchanged).  In  terms  of  traces,  this  means  that  all  sequences  of  the  form 

((10.  A  =>  ,r0,  B  =>  .rj.C  =>  ,r2). 

(20.  A  =>  .to.  B  .r x ,  C  =>  ,r2.  RESULT  =>  x0  +  x\)) 


{(10.  A  >  ./  »).  13  ^  .i  \.  C  =>  1 2-  RESULT  =>  «?), 

(2b.  A  -■>  xd.B  .r | .  C  =>  x2,  RESULT  =>  x0  +  .ri)) 

will  be  traces,  and  no  other  sequences  of  length  2  will  be  traces.  Similarly, 
a!!  sequences  of  tile  form 

((10.  A  ->  13  ->  x,.C  =>  ,r2). 

(110  A  .!•(,.  13  -v  x,.C  ,r2.  RESULT  -4>  x0  -f  x,), 

(do.  A  ->  B  -->  .!■).  C  x2.  RESULT  =>  xn  -f  X]  +  x2)) 


G 


or 


{{10,  A  Jo-  B  =>  i'i.  C  =>  ,r2.  RESL  LT  =>  tr). 

{'20.  A  =>  Xq,  B  =>  .f| ,  C  =>  .r  >.  RESULT  =>  .r0  +  .r,). 

{30,  A  =>  j'u,  B  =>  .)■  i ,  C  =>  .t\>,  RESULT  =>■  .:'o  +  j'i  +  J '2)) 


will  be  traces,  and  no  other  sequences  of  length  3  will  be  traces.  Since 
the  program  halts  at  statement  30,  the  set  of  .state  sequences  will  contain 
no  sequences  of  length  >  3.  Also,  if  the  machine  addition  is  ideal,  no 
exceptions  can  occur,  so  no  trace  of  the  ideal  system  will  contain  !. 

Now  we  examine  what,  the  traces  for  the  program  running  on  a  finite  ma¬ 
chine  could  look  like.  First  of  all.  what  can  we  reasonably  assume  about 
the  traces  that  will  be  true  on  any  finite  machine?  We  can  presumably  at 
least  assume  the  following: 


•  Control  always  starts  at  statement  10  with  A.  B  and  C  assigned  val¬ 
ues.  Formally,  this  means  that  if  {s)  is  a  trace,  then  s  must  either  be 
of  the  form 

{10.  A  =>  .r0,  B  =t-  C  =>  ,r2) 
or 

{10.  A  =>  ,r0.  B  =>  .!• , .  C  =»  ,r2.  RESULT  =>  tr) 

Note  that  we  do  not  assume  the  converse,  that  for  all  states  s  of  this 
form,  (s)  is  a  trace.  This  would  require  that  there  be  infinitely  many 
different  states  that  the  program  can  start  in.  which  is  not  possible 
on  a  finite  machine. 

•  If  control  is  at  statement  10.  then  either  an  exception  will  occur,  or 
tin  program  will  go  to  a  state  in  which  control  is  at  statement  20 
and  the  values  of  A.  B  and  C  will  be  unchanged  and  RESULT  will 
be  assigned  a  value.  Formally,  this  means  that  if  #r  *{<,<■')  is  a  trace, 
and  r  is  a  state  of  the  form 


(10,  A  =>  x0.  B  =>  x , .  C  ■=>  x  ,) 

or 

(10,  A  =>  x0,  B  =>  x  | ,  C  =>  x2,  RESULT  »<•) 
then  either  e'  —  !  or  (c,< ')  is  of  one  of  the  following  two  forms: 


{{10, A  =>•  x0,B  =s  xt.C  =>  x2). 

{20,  A  =>  x0,  B  =>  Xj .  C  =>  x2,  RESULT  =>  «  ')) 

{{10,  A  =>  xo,  B  =>  x i .  C  =>■  x2.  RESULT  «•), 

{20,  A  xo,  B  =>  x i .  C  =>  x2,  RESULT  t /■')) 

Note  that  we  do  not  make  any  assumptions  about  the  relationship 
between  x0  +  Xi  and  tr'.  This  is  because  just  about  any  relationship 
we  might  state  (e.g.  |)e'  -  (xo  +  X|  )|  <  c  for  some  small  sj  will  Ire 
false  on  a  sufficiently  inaccurate  machine. 

•  The  corresponding  assumption  for  statement  20.  i.e.  if  no  exception 
occurs,  control  goes  to  statement  30,  the  values  of  A.  B  and  C  don’t 
change  and  RESULT  will  be  assigned  some  value.  The  formal  state¬ 
ment  is  the  same  as  the  above,  with  “10”  replaced  by  "20"  and  "20" 
by  u30”. 

•  If  control  is  at  statement  30  or  an  exception  has  occurred,  then  noth¬ 
ing  further  happens.  Formally,  this  means  that  if  a  trace  o  ends  in  ! 
or  in  a  state  s  of  the  form 

{30.  [some  variable  assignment]) 

then  a  is  maximal,  i.e.  there  is  no  trace  that  extends  rr  and  is  strictly 
longer.  We  also  want  to  assume  the  converse,  i.e.  that  if  o  is  maximal 
then  it  either  ends  in  !  or  in  a  state  with  control  at  statement  30. 


The  above  conditions  do  not  ensure,  that  an  event  system  corresponds  to 
an  implementation  of  the  program  on  a  finite  machine.  They  are  merely 
a  weakening  of  the  conditions  we  wrote  down  for  the  ideal  machine  which 
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allow  event  systems  corresponding  to  finite  implementations.  In  fact,  the 
above  conditions  are  met  by  the  ideal  implementation.  Since  we  want  to 
verify  the  program  assuming  that  it  is  running  on  a  finite  machine,  we  need 
an  additional  condition  which  not  only  allows  finite  implementations,  but 
actually  rules  out  infinite  implementations.  The  additional  condition  we 
will  impose  is  that  the  set  of  all  events  appearing  in  any  sequence  in  the 
event  system  is  finite.  This  will  rule  out  the  infinite  implementations. 

We  will  refer  to  the  above  conditions  on  event  systems  as  the  absolute 
axioms  of  the  program.  We  call  them  “absolute"  because  they  are  assumed 
to  hold  for  all  implementations  of  the  program. 

We  have  not  yet  said  what  it  means  for  the  program  to  asymptotically 
compute  the  3-ary  addition  function.  Before  we  do.  let's  stop  and  think 
about  what  we  could  possibly  verify  about  how  the  program  runs  on  an 
arbitrary  finite  machine.  On  the  basis  of  the  absolute  axioms,  we  can  verify 
that  the  program  does  not  go  into  an  infinite  loop,  i.e.  there  is  no  infinite 
sequence  of  events  such  that  ('very  finite  initial  segment  is  in  the  event 
system.  (From  now  on  we  will  refer  to  such  infinite  sequences  of  events  as 
infinite  paths  through  tin*  event  system).  We  can  verify  that  if  the  program 
does  not  terminate  with  an  exception,  it  terminates  with  RESULT  assigned 
a  value,  and  with  A.  B  and  C  having  the  same  values  they  did  initially. 
We  cannot  verify  too  much  more  than  that  about  the  program  from  the 
assumptions  we’ve  made.  In  fact,  it  is  easy  to  prove  that  for  any  values 
of  j'0..ri..r2  and  w.  there  is  some  event  system  T  satisfying  the  absolute 
axioms  such  that  there  is  some  trace  in  T  which  starts  with  inputs  J’o-  t'i 
and  Xn  and  terminates  with  output  ir.  Thus  we  can’t  prove  anything  about 
how  well  the  program  computes  the  3  ary  addition  function.  The  reason 
for  this  is  that  we  don't  have  any  conditions  on  how  machine  addition  is 
related  to  ideal  addition. 

What  we  want,  to  be  able  to  verify  is  that  if  we  require  that  machine  addition 
match  ideal  addition  more  and  more  closely,  that  we  will  be  able  to  prove 
that  the  input/output  behavior  of  the  program  matchs  the  3-ary  addition 
function  more  and  more  closely.  In  other  words,  we  want  to  be  able  to  prove 
that  for  any  desired  degree  <1  of  accuracy  of  the  3  ary  addition  function, 
there  exists  a  degree  of  accuracy  <!'  of  2  ary  addition  such  that  for  any  event 
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system  T  satisfying  tin*  absolute  axioms  and  <7'.  the  input/output  behavior 
of  T  will  satisfy  d. 

What  do  we  mean  by  a  “degree  of  accuracy”?  The  intuitive  idea  is  that 
a  degree  of  accuracy  is  some  condition  on  implementations  of  the  program 
which  will  be  met  by  all  sufficiently  accurate  implementations.  Some  de¬ 
grees  of  accuracy  will  correspond  to  the  accuracy  of  the  2-ary  addition 
used  by  the  program;  we  will  refer  to  these  as  the  asymptotic  axioms  of  the 
program,  because  they  are  assumed  true  of  all  sufficiently  large  implemen¬ 
tations.  Other  degrees  of  accuracy  will  correspond  to  the  accuracy  of  the 
3-ary  addition  the  program  is  attempting  to  compute;  we  will  refer  to  these 
as  the  asymptotic  specifications  of  the  program,  because  we  want  to  prove 
them  about  all  sufficiently  accurate  implementations.  Formally,  a  degree  of 
accuracy  will  be  a  set  of  event  systems. 

What  kind  of  degrees  of  accuracy  do  we  want  to  achieve  in  computing  3-ary 
addition?  What  we’d  like  is  for  every  event  system  T  meeting  the  above 
conditions  to  satisfy  the  following  conditions: 

1.  We  can  give  any  input  to  T.  i.e.  Vx0.Xi.X2  e  R,  3  a  state  of  the 
program  s  such  that  (s)  c  T  and  s  assigns  A  to  ,r0.  B  to  j,  and  C  to 
x2. 

2.  If  (s)  e  T  assigns  A  to  ,t0.  B  to  X]  and  C  to  ,r2.  then  any  run  of  T 

must  eventually  terminate  normally  with  RESULT  assigned  to  value 
Xo  +  +  x2-  Put  more  formally,  there  is  no  infinite  path  through 

T  whose  first  element  is  s.  and  for  every  maximal  a  c  T  whose  first 
element  is  s,  the  last  element  of  a  is  a  state  in  which  control  is  at 
statement  30  and  RESILT  is  assigned  the  value  xo  x,  +  x2. 

Of  course,  the  above  conditions  can  t.  possibly  be  satisfied  by  any  such  T. 
if  only  for  the  reason  that  we  can’t  start  up  a  finite  implementation  of  the 
program  with  an  arbitrary  input.  We  do  expect,  however,  that  if  we  take 
larger  and  larger  machines,  we  will  lie  able  to  approximate  fixed  inputs 
with  more  and  more  accuracy. 

Definition  2.1.1:  for  any  x„.  x,.x>./>  >  0  c  R.  we  define  the  degree  of 
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accuracy  inputs(.r0.jq.  .r2.  <*>)  to  he  the  set  of  all  event  systems  T  such  that  3 
a  state  s  such  that  (.s)  (  T  and  s  assigns  A,  B  and  C  to  numbers  t/0-  .Vi  and 
y2  respectively  and  |y,  —  .r,|  <  b  for  ?  =  0, 1,2. 


□ 

In  general,  we  won't  even  he  able  to  get  accurate  sums  of  numbers  we  can 
input  to  an  implementation,  due  to  roundoff,  underflow  and  overflow.  To 
figure  out  what  we  can  reasonably  specify  about  the  program,  we  must  first 
consider  our  picture  of  how  such  a  program  is  used. 

We  imagine  a  "caller"  has  some  inputs  x0,.r]  and  x2  it  wishes  to  submit  to 
the  program.  Ideally,  the  caller  would  like  to  be  able  to  hand  the  program 
.Vi).  jq  and  x2  and  have  it  hand  it  back  ,r0+.iq  +  .r2.  In  general,  the  caller  will 
not  be  able  to  hand  the  program  r0.  .iq  and  x2.  but  will  have  to  hand  it  some 
approximations  to  these  numbers,  say  y0,  y \  and  y2.  such  that  3s  such  that 
{.<)  eT  and  s  assigns  A,  B  and  C  the  values  y0,  y,  and  y2.  The  program  then 
"assumes"  that  j/0-  l/i  and  y2  are  the  inputs  the  caller  is  actually  interested 
in.  It  is  the  "responsibility"  of  the  program  to  try  and  halt  with  an  output 
which  is  an  "approximation"  to  y0  +  J/i  +  J/2-  It  is  the  responsibility  of  the 
caller  to  supply  the  program  with  sufficiently  "good"  approximations  to 
justify  the  program’s  "assumption”.  Note  that  the  caller's  responsibility  is 
only  to  give  the  program  inputs  which  are  sufficiently  close  to  ,r0.  .tq  and  x2\ 
it  is  not  required  to  give  the  program  particular  inputs  which  are  sufficiently 
close. 

Fix  Xo.Xi.x2  e  R  and  f  >  0.  Suppose  the  caller  would  be  satisfied  if  the 
program  returned  it  some  number  iv  such  that  |tr  —  (,r0  +  .iq  +  ,r2)|  <  r. 
How  close  approximations  to  .r0.  ,r j  ami  x2  does  the  caller  have  to  supply 
in  order  the  get  an  output  in  (,r0  +  .r,  +  ,r2  -  f .  ,r0  +  .r,  +  x2  +  First  of 
all.  it  must  at  least  supply  approximations  y0,  y i  and  y,  such  that  |(yo  + 
y i  +  i/2 )  —  (xo  3-  Xi  +  .r ^ ) |  <  e.  because  if  it  did  not.  the  program  would 
be  "justified"  in  handing  it  hack  a  number  close  to  yL,  +  y,  4-  y2.  possibly 
so  close  that  it  would  be  more  than  c  from  .r0  +  .iq  +  x2.  Suppose  6  is 
sufficiently  small  that  for  any  y(J.  y, .  y2  such  that  |y,  -  .r,|  <  t  for  i  =0.1. 2. 
|(  t/o+  lJ\  + 1/2 ) —  (-ro  +  -ri  +  r2  )|  <  f  (any/*  <  e/3  will  do).  If  the  caller  limited 
itself  to  inputing  approximations  in  which  |y,  —  ,r,|  <  d  for  i  =  0, 1.2,  would 
some  sufficiently  accurate  machine  ensure  that  the  answer  returned  to  the 
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caller  is  in  (xQ  4  .rt  4  x,  —  £..r0  4  r,  4  r2  4-  ;)?  We  cannot  really  give  a 
firm  "yes"  or  "no"  to  this  question  because  we  do  not  yet  have  a  formal 
definition  of  what  “sufficiently  accurate"  means.  The  ‘  intuitive"  answer, 
however,  seems  to  be  "no".  To  see  why.  consider  the  following  example. 
Suppose  we  had  j'u  =  X\  —  x>  —  1.  f  =  1.5,  and  ^  =  .5.  Suppose  we 
were  running  our  program  on  a  machine  in  which  addition  was  allowed  to 
introduce  an  absolute  error  of  up  to  some  small  numlrer  if  >  0.  and  .5  4  <f /2 
was  representable  in  the  machine.  Suppose  the  caller  approximated  .r(),  .r , 
and  by  .5  4  f/2.  Since  the  machine  is  allowed  to  introduce  up  to  £ 
much  error  when  perfoiming  an  addition,  if  could  assign  RESULT  to  1 
in  statement  10.  It  could  then  assign  RESULT  to  a  number  as  small  as 
1.5— f/2  in  statement  20,  which  is  not  in  (j-04.r,  +j-2-s.  .r0+ jp  4.r24c ).  We 
can  make  the  machine  we  re  running  the  program  on  arbitrarily  accurate 
by  making  f  very  small,  but  by  the  above  argument,  there  will  always  be 
some  approximations  in  the  (.r,  —  d.x,  4  )  intervals  which  will  cause  the 

program  to  return  a  value  more  that  f  from  the  correct  answer. 

The  reason  this  can  happen  is  that  the  caller  can  choose  its  >/n.  >/t  and  y< 
just  slightly  less  that  6  from  the  '•orresponding  .r,‘s.  When  it  does  this. 
|(t/o  4  t/i  +  j/2 )  —  (-fo  +  X\  4  -r2)|  is  jUst  slightly  less  than  c.  Thus,  even  a 
small  error  in  the  two  machine  additions  can  make  RESULT  more  than  r 
from  the  exact  answer. 

Suppose  it  were  actually  the  case  that  for  any  i/o.  y\  and  y>  such  that  |.r,  —  j/,j 
is  less  than  or  equal  to  A,  J(  yt)  4  ij\  4  y, )  -  (.r,,  4  .r,  4  ,r2  )j  <  f.  Again  we  pose 
the  informal  question:  if  the  caller  limited  itself  to  inputing  approximations 
y,  in  (x,  —  S.Xj  4  6).  would  some  sufficiently  accurate  machine  ensure  that 
the  answer  returned  to  the  caller  is  in  ( r,,  4  J'i  4  ,r2  —  s.  r0  4  i’i  4  .r2  4  ')? 
The  “intuitive"  answer  now  serais  to  be  "ves  .  Supporting  evidence  for 
this  answer  is  the  fact  that  the  answer  returned  to  the  caller  will  be  within 
s  of  the  number  we  want  if  we  run  our  program  on  a  machine  which  uses 
floating  point  arithmetic  with  a  sufficiently  large  number  of  bits  in  the 
mantissa  and  exponent.  (We  prove  this  below.)  We  ran  therefore  define  a 
degree  of  accuracy  corresponding  to  all  event  systems  large  enough  to  meet 
the  above  condition. 

Definition  2.1.2:  for  every  x\ ,  x2  f  Ft  and  r.i’)  >0  we  define  the  degree 


of  accuracy  accuracy!  .r0.  .r, .  ,r2.  ?.  b )  to  !>o  the  set  of  all  event  systems  T  such 
that  if 

vl/o,yi,t/2  e  R[|?/,  -  .r,|  <  d  for  /  =  0,1,2  - 
I  ( J/0  +  t/l  +  1/2  )  ~  ('t'o  +  .('i  +  .fj)!  <  s] 

then  Vs  such  that  (s)  e  T  and  s  assigns  A.  B  and  C  to  numbers  y0,  yx  and  j/2 
respectively  and  |y,  —  ,rt|  <  b  for  t  =  0.1.2,  T  must,  terminate  and  return 
a  value  in  (ar0  +  J" i  +  j2  —  +  ('i  +  r2  +  e)  ( i.e.  there  are  no  infinite 

paths  through  T  which  start  with  s.  and  if  cr  is  a  maximal  element  of  T 
which  starts  with  .s  then  the  last  element  of  a  must  be  a  state  which  assigns 
RESULT  a  value  ?e  such  that  |»r  -  (,r0  +  Xi  +  •r2)l  <  £•)• 

□ 

The  inputs  and  accuracy  degrees  of  accuracy  constitute  the  asymptotic  spec¬ 
ifications  of  our  program.  The  inputs  degrees  will  also  be  asymptotic  ax¬ 
ioms.  This  may  seem  peculiar,  but  it  just  reflects  the  fact  that  the  ability 
to  approximate  fixed  inputs  more  and  more  closely  on  bigger  and  bigger 
machines  is  both  necessary  to  asymptotically  compute  3-ary  addition,  and 
something  we  can  assume  is  true. 

What  kind  of  asymptotic  axioms  can  we  assume  about  the  machine’s  2-ary 
addition?  We  want  to  assume  conditions  like  the  accuracy  requirements 
above,  only  on  2 -ary  addition  in  the  middle  of  the  program's  execution. 

Definition  2.1.3:  for  any  ,r<j.  jq  f  R  and  >  0,  we  define  the  degree  of 
accuracy  primacc(.r0.  .iq .  s.  a)  to  be  the  set  of  all  ('vent  systems  T  such  that 
if  V?/0.  yx  such  that  \>j,  -  ,r,|  <  b  for  i  =  0.  1.  |(  </o  +  ,/,  )  -  (,r0  +  .»■,))  < 

1.  if  o  {(’.(')  f  T  and  c  is  a  state  in  which  control  is  at  statement  10 
and  A  is  assigned  a  value  in  (,r„  -  b..rt)  +  b)  and  B  is  assigned  a  value 
in  ( ,r j  -  <’>, .r,  +  />).  then  t'  is  a  stat<>  in  which  RESULT  is  assigned  a 
number  in  (r,,  +  .r,  -  ;..rn  +  .r,  +  s). 

2.  if  o  ( c ,  (')  (T  and  r  is  a  state  in  which  control  is  at  statement  20  and 
RESULT  is  assigned  a  value  in  (./•„  —  <\  .<•„  +  b)  and  C  is  assigned  a 


value  in  ( ,r  t  —  <E  .ip  -f  d  ).  t  h<'n  < '  is  a  stale  in  which  R  ESI  LI  is  assigned 
a  number  in  (.r0  +  j-(  —  r.  ,r„  r  ■>']  i  ). 


□ 

There  is  a  condition  that  must  hold  of  the  asymptotic  axioms  in  order  for 
them  to  make  sense,  namely,  for  any  finite  set  D  of  asymptot  ic  axioms  there 
must  exist  an  event  system  satisfying  the  absolute  axioms  which  satisfies 
every  (3  e  B.  If  this  is  not  true,  then  our  asymptotic  axioms  are  too  strong. 
When  a  set  of  conditions  litis  the  property  that  any  finite  collection  can  be 
satisfied,  we  will  say  that  the  set  of  conditions  is  finitely  safisfiahle. 

Preposition  2.1.1:  The  collection  of  absolute  and  asymptotic  axioms  for 
the  program  is  finitely  satisfiable. 

Proof:  W  e  will  show  that  any  degree  of  accuracy  is  met  by  a  finite  machine 
which  uses  binary  floating  point  arithmetic  with  r?  bits  in  the  mantissa  and 
n  bits  in  the  exponent  if  n  is  sufficiently  large.  Since  such  machines  meet 
all  the  absolute  axioms,  this  will  establish  the  proposition. 

Suppose  the  degree  in  question  is  inputst  .cn.  .r\ .  .r  >- ^  )•  will  be  machine - 
representable.  If  we  take  u  large  enough  that  2"  is  bigger  than  the  absolute 
values  of  all  the  ,r,  ±  <i’s.  and  big  enough  t  hat  t  he  minimum  spacing  between 
numbers  whose  absolute  values  are  <  2”  is  <  <L  then  there  will  necessarily 
be  a  machine-  representable  real  in  every  ( .r,  —  <E  .r,  +  /:  1  interval  because  there 
will  be  machine- representable  numbers  both  above  and  below  the  interval, 
and  the  spacing  between  machine  representable  numbers  is  too  small  for 
the  interval  to  bo  between  2  adjacent  machine  representable  numbers. 

Suppose  the  degree  in  question  is  primacct  .r, .  -,<M.  The  degree  is  satis¬ 
fied  vacuously  unless  2C  r:  suppose  this  is  the  ease.  If  we  let  n  be  suf 
ficiently  large  that  the  minimum  sparing  between  machine  representable 
numbers  in  the  interval  f  (  r ,,  *  ./■,  -f-  i  \  -c  -  I  is  less  than  ;  -  2 (V 

and  | y ,  —  .r,\  <  <s.  then  »/,,  +  i/|  will  be  m  the  interval  I.  so  the  machine 
computation  of  the  sum  will  be  <>lf  by  lesS  than  -  -  2/' .  Thus,  the  difference 
between  the  in.  lime  sum  and  the  actual  sum  can  be  at  most  the  sum  of 
the  differences  p.  swoon  the  y,  s  and  the-  .r,  s  (  each)  and  the  maximum 
machine'  error.  :  2c.  In  other  wools,  the  iuaxiniuni  error  is  as  desired. 
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Now  wo  are  ready  to  state  formally  what  we  wish  to  mean  by  asymptotic 
correctness  of  the  program.  \Ye  say  the  program  is  asymptotically  correct 
iff  for  every  finite  set  .4  of  asymptotic  specifications,  there  exists  a  finite1  set 
D  of  asymptotic  axioms  such  that  if  T  is  an  event  system  which  satisfies 
the  absolute  axioms  and  is  in  every  ,4  (  D,  then  T  is  in  every  n  e  .4. 

Proposition  2.1.2:  The  program  is  asymptotically  correct. 

Proof:  We  need  only  show  that  for  any  degree  accuracy! .r0.  i'\ .  jtj.  = .  b ). 
there  is  a  finite  set  of  primacc  degrees  such  that  if  we  assume  the  program 
satisfies  the  finite  set  of  primacc  degrees  then  we  can  prove  it  satisfies  the 
accuracy  degree.  There  is  a  finite  set  of  primacc  degrees  which  ensure  that 
the  errors  in  statements  10  and  20  is  less  than  (c  —  36) /2.  The  difference 
between  the  actual  sum  .r()  +  j  t  +  j'>  and  the  final  value  of  RESULT  is  at 
most  the  sum  of  the  differences  between  the  t/,’s  and  the  ,r,"s  (ck  each)  and 
the  sum  of  the  the  two  computation  errors  ((s  —  36)/2  each).  This  adds  up 
to  at  most  s.  as  desired. 


2.2  Generalized  Asymptotic  Computation 

In  this  section  we  generalize  the  example  given  in  the  last  section  to  a 
general  model  of  asymptotic  computation. 


2.2.1  Programs 

We  will  first  generalize  the  notion  of  a  program.  Wo  define  a  language 
of  How  chart  programs  called  SRXL  for  Simple  Real  Number  Language. 
Before  we  describe  SRNL.  we  will  make  the  following  comment:  it's  been 
our  experience  that  in  order  to  write  asymptotically  correct  programs  to 
do  nontrivial  tasks,  it  is  necessary  that  we  be  able  to  detect  exceptional 
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‘  ‘T  T°"'  "<***  l-n-RT-m  <1,.,. 

SR^  I  co,1'l,,l<’"s  w-  >■»«•  ncooiiiiiiodiitod  „lis 

,j,  by  incorporating  cxccptiou-h,, .idling.  This  is  discussed 


s  when  such 
necessity  in 
further  be- 


A  program  consists  of. 


1-  a  finite  collection  of  variables 

2.  an  assignment  of  types  to  the  variables 

3.  a  flow  chart 


We  allow  variables  of  types  integer  (including  both 
integers)  and  real. 


positive  and  negafiv 


*r 


“ sra,,L 

arrows  corresponding  to  possible  flows  of  control!"1  We  will  ' first”  d  ^  T 

direclc  graph  which  some  of  the  ^  au<i  arrowst^  ‘  E  "ch 

node  *  assigned  to  exactly  „„e  of  the  following  catcgorws 


start  nodes  (these  are  the  nodes  where  control  can 
starts  ox^vutinfr) 


ho  when  thr  ]>ro- 


halt  nodes  (these  nodes  correspond  to 

assignment  nodes  (those  are  the  nodes 
new  values) 


normal  program 
where  variables 


termination) 

are  assuricd 


•  test  nodes  (these  are  the  nodes 
sv  mte  ci  tut  lit  ion  i 


where  control  bratiehs  according 


to 


Hi 


Some  categories  may  have  no  nodes  in  them,  but  there  must  be  at  least  one 
start  node. 

Arrows  can  be  unlabeled,  or  they  can  be  labeled  with  one  of  the  following 
labels:  “true",  “false"  or  “exception".  (Unlabeled  arrows  correspond  to  un¬ 
conditional  control  flows;  arrows  labeled  with  "true"  or  “false”  correspond 
to  conditional  control  flows;  arrows  labeled  with  “exception"  correspond  to 
control  flows  associated  with  exception  handling.) 

Start  nodes  are  unlabcled.  They  may  have  only  unlabeled  arrows  coming 
from  them,  and  each  start  node  must  have  at  least  one  arrow  coming  from 
it.  Start  nodes  can  have  no  arrows  going  to  them. 

Halt  nodes  arc  unlabeled.  They  may  not  have  any  arrows  coming  from 
them. 

Each  assignment  node  is  labeled  with  an  assignment  statement.  An  assign¬ 
ment  statement  is  a  statement  of  the  form 


v  :  =  t 


where  u  is  a  variable  of  the  program  and  t  is  a  term  whose  output  type  is 
the  same  as  the  type  of  v.  A  term  is  just  a  program  variable,  a  constant 
symbol  or  a  function  symbol  applied  to  a  collection  of  program  variables. 
We  will  list  the  constant  and  function  symbols  and  their  types  below.  An 
assignment  node  must  have  at  least  one  unlabeled  arrow  coming  from  it,  and 
every  arrow  coming  from  an  assignment  node  must  either  be  an  unlabeled 
arrow  or  must  be  labeled  with  “exception". 

Each  test  node  is  labeled  with  a  boolean  expression.  We  will  define  the 
boolean  expressions  below.  A  test,  node  must  have  at  least  one  arrow  la¬ 
beled  “true"  and  one  arrow  labeled  “false"  coining  from  it.  and  every  arrow 
coming  from  a  test  node  must  be  labeled. 

Terms  are  built  up  from  program  variables  and  constant  symbols  by  apply¬ 
ing  function  symbols.  The  constant  and  function  symbols  (listed  by  type 
signature)  that  we  will  be  using  are: 
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1.  constant  symbols  of  type  integer:  0^  and  1^ 

2.  constant  symbols  of  type  real:  0j^  and  lp^ 

3.  binary  function  symbols  which  take  integers  and  return  integers:  +  £, 

-Z>  *z 

4.  binary  function  symbols  which  take  integers  and  return  integer:  +r, 

-R’  *R’  / 


Note:  in  actual  examples,  we  will  “cheat”  in  a  couple  of  ways  to  make 
our  programs  more  readable.  For  example,  technically,  we  need  subscripts 
on  symbols  like  “1”  and  “+”  to  distinguish  between  integer  constants  and 
functions  and  real  constants  and  functions  which  are  usually  denoted  by 
the  same  symbol.  In  our  examples,  we  will  drop  the  subscripts,  and  it  will 
always  be  clear  from  context  whether  we  mean  the  integer  symbols  or  the 
real  ones.  Also,  we  will  use  other  symbols  besides  those  above,  e.g.  other 
numerals,  like  “2”,  and  the  unary  —  function.  These  symbols  should  be 
regarded  as  abbreviations  for  terms  written  using  only  the  symbols  above, 
so  “2”  is  an  abbreviation  for  “1  +  1”  and  x”  is  an  abbreviation  for  “0  —  x" . 
Finally,  we  will  use  more  complex  terms  in  our  assignment  statements  than 
just  the  simple  terms  allowed  by  SRNL.  These  terms  are  abbreviations  for 
pieces  of  code  which  evaluate  the  complex  expression  one  subterm  at  a  time, 
storing  the  intermediate  results  in  temporary  variables.  The  restriction  to 
simple  terms  will  eventually  be  removed  from  SRNL,  but  for  the  time  being 
we  have  placed  this  limitation  on  the  pr  jgrams  to  make  the  semantics  easier 
to  state.  The  principal  difficulty  in  stating  semantics  for  complex  terms  is 
that  an  exception  may  occur  in  the  middle  of  evaluating  a  term,  which  can’t 
happen  with  the  simple  terms  we’re  restricting  ourselves  to  at  the  moment. 

Boolean  expressions  are  built  up  from  atomic  boolean  expressions  by  ap¬ 
plying  boolean  connections.  We  allow  all  the  usual  boolean  connectives 
(e.g.  A  ,  V,  Atomic  boolean  expressions  are  of  the  form 


P(v0.. 
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where  P  is  a  predicate  -.yin liol  and  e„ . r, ... ,  are  program  van;, ides  whose 

tvpes  match  the  input  type  signature  of  P  Die  predicate  symbols  we  will 
use.  listed  l>y  type  signature,  are: 

1,  binary  predicate  symbols  which  take  integer  arguments:  =2-  <Z 

2.  binai'v  predicate  symbols  which  take  real  arguments:  --jp  ■ 

l  Attain,  in  actual  example.-  w--  will  droj)  the  subscripts,  and  will  tw  abbre¬ 
viation^  bile  ".!•  •_  tor  "  .»•  -  ll  i  V  |  x  <  y)  ■) 

We  will  now  give  •  ;.e  formal  deti  union  of  a  flow  chart .  A  flowchart  is  an  If 
tuple  (X  S  EAR'l  .  11 A  LT.  ASSIGN.  TEST.  UA.  TA.  FA.  EA.AL.  1  L.  1.)  sue], 
t  hat: 

1  A  is  a  noiiempt  >  . t  he  >  ,<> 

2.  START.  11 A  I.T.  ASSIGN  and  TEST  are  disjoint  subsets  of  A  whose 
union  is  all  of  A.  SI  AM  I  i-  nonempty. 

d  l  A.  1  A.  V  A  and.  EA  a»e  bmaiv  relation-'  on  A  (l  A  is  t!,e  ttiiiohrh  t! 
nr  row  nlat:<ni.  TA  is  the  "fnir"  arrow  r<  lotion.  F.\  is  tiw  c 
iu-e"  ;■(  I'-fo'n  and  EA  is  the  “ilt  fptm  n  "  arrow  rt  lotion). 

;.  1.  is  a  function  ‘ji.m  ASSIGN  '.  •  TEST  into  the  set  . -on.-i.-ring.  <»! 
•  he  as- i^nineut  statement.,  and  boolean  expressions  ot  the  prourani 
i  tic-  ii:.',i  l  f nor  him  i  :  i  •  ASSIGN.  L(o)  is  an  assignment  stateu.ent. 
Vo  i  i  ES  1  .  l.io  -  r-  a  boolean  expression. 

■  i  V< i .  >  ■  A  .  i ;  t  A  - 1  G  or  1  A t  o  .  .1 )  or  1*  A (  e  i  |  oi  E  A 1  o  .  i  i  •  !:••!: 
O  t  IE\  I.  1  and  1  f  S  I  AM  I  , 

t ;  /< i .  <  t  ,\  .  it  1  Ao,.  .ii  tlii-ti  >i  f  I  ESI . 

I  Vo .  it  A  .  it  1  \  i  o  y  i  or  E  ,\  t  , .  i)  then  o  t  TEST  . 

s ,  •/. i .  i-  A  .  It  EA-  -I.  > 1  1 1  av i  1 1  /  S  TA R  1 . 

!).  Vo<S  [AMI  ‘ASSIGN  'it  A  suciithat  I  A(n.T) 

T  E.S  I  :.i  ■  ■  A  -  uc..  that  I  A  i  o  .  A)  and  FAt  o  .  *•  b 


ft 


1(1. 


r 


2.2.2  Semantics 

■  v.m-;  -<  a  semantics  to  the  programs  defined  in  the  previous  sub- 

■e  '  t'  )■  ■  -:->i  i.vn.g  each  program  with  a  class  of  event  systems.  The 

van om  <o  ent  system.'  tit  the  class  correspond  to  implementations  of  the 
program  on  f'achines  of  various  si/es.  We  will  now  fix  a  program  P  and 
deserihe  <  ..<■  ol  event  systems  associated  with  it.  The  members  of  this 

w’.:!  be  rcieried  to  as  the  models  of  the  program.  We  will  denote  the 
set  o;  nodes,  caiegories  of  nodes,  arrow  relations  an<l  label  function  using 
the  aii.e  O]on  as  in  the  previous  subsection. 

first,  we  !!mi  • ,,  say  wliat  a  p'fe  o*  / ’  's  '  state  consist-  of: 

'•  no  -  it  r  h-  flow  chart  (.his  re.  ts  .e  place  when-  courn-!  j- 

t  ■ «  _  *  ;  \ 

-b  an  ti.'s’.um  cut  o!  some  subset  of  the  variables  to  elements  of  then 
a.-soeia  r  <  •< i  ty  r » - 


il-ormally.  then,  a  state  is  a  pair  (u,\  )  where  o  is  a  node  and  V  is  a 
function  ft  .m  n>me  subset  of  the  program  variables  into  the  disjoint  union 
of  /.  and  It  v." : , i<  h  takes  integer  variables  to  integers  and  real  variables  to 

• 1  1  mmibe;  : 


if  t  -  a  t-  a.u'i  a  variable  which  is  assignee!  a  value  by  «v  will  denote 
bn  -Ti.i.e  .  .•  igne.t  to  i-  bv  >  by  si  r).  If  t  is  a  term  ail  fit  wiio-e  variables 
m  '  a;  iitn  -d  .aim  ’  y  ••  •>  denote  the  ideal  value  of  the  term  under  this 

A  Hoi lej  r-  an  i ■  \  * ‘i 1 1  ysfein  over  the  set  ot  states  described  above  which 
mem  ,  a  Main  aondit  ions.  As  in  the  previous  si-ction.  these  conditions  will 
b'-  lelerieo  to  as  the  absolute  axioms  of  P.  We  will  first  discuss  certain 
•  1 1  - :  t'-uii  !"ii-  which  iidiuenced  the  conditions  we  impose.  then  we  will 
''ate  the  c. . :ii  lit  ions  informally,  and  then  give  their  formal  equivalents. 

!'i  tot  nuil'it  uui  'lie  conditions  for  an  event  system  being  a  model  of  P.  the 
h  'ilo-vn  ”  con  udi-i  ;i  t  ions  were  t;i  ken  into  account : 
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1.  Nothing  was  assumed  about  the  accuracy  of  real  valued  functions. 
This  was  because  the  conditions  we  give  below  are  intended  to  de¬ 
fine  what  we  felt  we  could  assume  about  P  running  on  any  machine, 
whether  large  or  small.  Almost  any  assumption  about  accuracy  of 
real-valued  functions  would  be  invalid  on  a  sufficiently  small  machine. 

2.  Integer-valued  functions,  by  contrast,  were  assumed  to  be  perfectly 
accurate  when  they  did  not  cause  an  exception  to  be  raised.  We  felt 
this  was  a  reasonable  assumption  on  both  large  and  small  machines. 

3.  We  did  not  assume  that  there  were  any  circumstances  in  which  the 
evaluation  of  a  real-  or  integer-valued  function  would  not  raise  an 
exception.  In  other  words,  we  allow  “maximum  flakiness"  from  the 
real-  and  integer-valued  functions.  This  was.  again,  because  just 
about  any  assumption  about  functions  not  raising  exceptions  would 
be  invalid  on  a  sufficiently  small  machine. 

4.  Comparisons  of  numbers  (i.e.  for  equality  or  <)  were  assumed  to  be 
accurate,  and  furthermore  were  assumed  not  to  raise  exceptions. 

5.  Assignments  of  the  form  v  :=  w  where  tr  is  a  program  variable  were 
assumed  to  be  perfectly  accurate.  In  other  words,  it  was  assumed 
that  error  only  arises  from  evaluating  arithmetic  functions,  and  not 
from  copying  values  of  variables  into  other  variables. 

6.  Other  things  assumed  to  be  carried  out  accurately  were  evaluation  of 
boolean  connectives,  detection  of  undefined  variables,  flow  of  control, 
and  holding  constant  the  values  of  variables  not  assigned  to. 


The  informal  statements  of  the  conditions  are  as  follows: 


1.  Initially,  control  is  always  at  some  start  node  in  the  flow  chart. 

2.  If  control  is  at  a  start  node  n.  control  flows  along  some  arrow  from 
a,  and  the  values  of  the  variables  do  not  change. 

3.  Exceptions  can  only  occur  at  assignment  nodes  and  test  nodes. 
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4.  An  exception  will  occur  at  an  assignment  or  tost  node  if  the  node's 
label  contains  a  variable  which  is  not  defined. 

5.  An  exception  will  not  occur  at  an  assignment  node  if  the  nodes  label 
is  v  :=  w  and  te  is  a  program  variable  which  is  defined. 

6.  An  exception  will  not  occur  at  a  test  node  if  all  variables  in  the  node's 
boolean  expression  are  defined. 

7.  If  control  is  at  a  node  o  and  an  exception  occurs,  and  there  are  no 
exception  arrows  coming  from  cv,  then  P  terminates  abnormally. 

8.  If  control  is  at  a  node  a.  and  an  exception  occurs,  and  there  are 
exception  arrows  coining  from  a.  then  control  flows  along  one  of  the 
exception  arrows,  and  the  assignment  of  variables  is  unchanged. 

9.  If  control  is  at  an  assignment  node  n  labeled  with  assignment  state¬ 
ment  v  :=  t  and  no  exception  occurs,  control  flows  along  one  of  the 
unlabeled  arrows  from  a.  v  is  assigned  a  value,  and  the  values  of  vari¬ 
ables  other  than  v  do  not  change.  In  addition,  if  t  is  an  integer  term 
and  no  exception  occurs,  v  is  assigned  the  value'  s(t).  If  t  is  a  program 
variable  then  v  is  assigned  the  value  s( t ). 

10.  If  control  is  at  a  test  node  and  no  exception  occurs,  control  flows 
along  an  arrow  labeled  "true"  if  a  s  boolean  expression  is  true,  and 
along  an  arrow  labeled  "false"  if  a’»  boolean  expression  is  false. 

11.  If  control  is  at  a  halt  node,  no  further  state  transitions  can  occur.  If 
control  is  not  at  a  halt  node  and  P  has  not  terminated  abnormally, 
then  further  state  transitions  must  occur. 


We  now  state  the  formalization  of  the  conditions  for  an  event  system  /  to 
be  a  model  of  P: 

1.  V<7  f  T.  !  does  not  occur  twice  consecutively  in  n . 

2.  Ve,  if  (c)  f  T  then  <  —  (a,  V)  for  some  a  f  START. 


3.  V<T.  a  f.  A  and  I  ’  an  assignment  of  program  variables,  if  a'  ((o .  1).  !}  eX 
then  all  of  the  following  an'  true: 

(a)  a  e  ASSIGN  U  TEST 

(b)  It  is  not  the  ease  that  n  t  ASSIGN,  L(n)  =  "r  :=  ir"  where  ir  is 
a  program  variable,  ad  I'  assigns  a  value  to  u\ 

(c)  It  is  not  the  case  that  o  t  TEST,  and  V  assigns  a  value  to  every 
variable  in  L(  o  ). 

4  V<7.a,d  (  -V  and  \'.  V''  assignments  of  program  variables,  if 

a-<<n.r).!.(d.r'»eT 
then  EA(o.d)  and  =  W 

5.  Vcr.o  %  fi  (  Ar  and  I  .  \  assignments  of  program  variables,  if 

i-t  {{n  .  \  ’).  (d.  I-'))  f  X 
then  all  of  the  following  are  true: 

(a)  If  a  e  START  then  UA(a.  d)  and  \''  =  V. 

(b)  If  o  f  ASSIGN  and  L(  a)  =  "e  t"  then: 

i.  V’  assigns  a  value  to  all  variables  occurring  in  /. 
it.  UA(o.d),  Vr/(c)j.  and  V  program  variables  r'  r.  1  \e'}  — 
V(r'). 

iii.  If  t  is  an  integer  term.  !"'(»•>  \  >i). 

iv.  If  t  is  a  program  variable.  I  --  \  {t  i. 

(c)  If  A  f  TEST  then. 

i.  I’  assigns  a  value  to  all  variables  occurring  in  L(o  ). 

ii.  v"  =  v 

iii.  TA(o.  i)  if  Lin)  is  true  and  FA(o.d)  ifX(o)  is  false. 

G.  Vrr  e  T,  if  the  last  element  of  n  is  (o .  I’)  then  rr  is  maximal  in  X  iff 

o  r  HALT. 
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7.  Vcr  e  1\  if  o  ib  maximal  and  i lit-*  last  element  of  a  is  !,  then  *  J\J 
and  V  an  assignment  of  program  variables  such  that  (n,  V')  is  the 
next-to-last  entry  of  a  and  /9d  f  Ar  such  that  EA(o,  (3). 

8.  The  set  of  all  events  which  appear  in  some  <7  f  T  is  finite. 

2.2.3  Asymptotic  Specifications 

In  this  subsection  we  generalize  the  notion  of  asymptot  ic  specifications  from 
the  previous  section.  As  in  the  previous  section,  the  asymptotic  specifica¬ 
tions  will  be  a  set  of  degrees  of  accuracy,  but  we  re  going  to  want  to  be 
able  to  specify  something  slightly  more  general  about  our  program  P  than 
simply  that  it  asymptotically  compute  a  function.  In  general,  we’re  going 
to  want  to  specify  that  a  certain  relation  hold  between  the  assignment  of 
the  variables  when  P  starts  and  when  it  ends.  We  call  such  a  relation  a 
specification  relation  for  P. 

UR  is  the  binary  relation  we  would  like  to  have  hold  between  the  variable 
assignments  at  start  and  termination,  we’d  like  to  require  the  following: 

1.  We  can  start  up  P  with  any  assignment  of  variables. 

2.  If  we  start  up  P  with  an  assignment  of  variables  V .  and  there  exists 
an  assignment  of  variables  I!'  such  that  i?(V.  II'),  then  P  eventually 
terminates  with  an  assignment  of  variables  W  (possibly  W)  such 
that  R(VfiV'). 

3.  If  we  start  up  P  with  an  assignment  of  variables  V  and  there  is  no 
assignment  of  variables  II  such  that  /?(!  .11).  then  P  either  doesn’t 
terminate,  or  terminates  abnormally  (i.e.  with  an  exception). 

Of  course,  as  in  the  previous  section,  we  can't  in  general  meet  the  above 
requirements  on  a  finite  machine.  What  we  will  try  to  verify  instead  is  that 
for  any  degree  of  accuracy  <7  of  satisfying  R  (in  the  sense  described  above), 
there  exists  a  degree  of  accuracy  </'  of  computing  the  primitive  functions 


of  SRNL  such  that  for  any  event  system  T  satisfying  the  absolute  axioms 
and  d\  the  input/output  behavior  of  T  will  satisfy  d.  The  remainder  of 
this  subsection  is  devoted  to  deciding  what  we  want  to  mean  by  "degrees 
of  accuracy  of  satisfying  R'\  and  what  kinds  of  /?' s  we  will  allow  ourselves 
to  use  in  specifications.  As  before,  a  degree  of  accuracy  is  formally  a  set  of 
event  systems. 

Suppose  that  the  real  variables  of  P  are  X! . Xn.  and  the  integer  vari¬ 
ables  are  First  of  all.  we  can’t  start  up  P  with  an  arbitrary 

assignment  of  variables  on  a  finite  machine.  If,  however,  we  have  a  fixed 
assignment  of  variables  V,  then  on  a  sufficiently  accurate  machine  we  want 
to  be  able  to  start  up  P  with  a  variable  assignment  V"  which  is  "close  to" 
V .  In  order  to  make  precise  what  we  mean  by  "close”,  we  need  some  no¬ 
tion  of  “the  distance  between  two  variable  assignments”.  If  V  and  V  are 
two  variable  assignments,  we  define  the  distance  between  them  (denoted 
by  />(!',  Ir'))  as  follows: 

•  If  V  and  V  make  the  same  variables  defined  and  undefined,  tlum 
p{V,  V)  is  the  largest  element  of  the  set 

{|V-(r)-r'(,.)j  |  r  jj,  a  variable  defined  by  both  V  and  I ’'} 

•  p(V,  V")  =  1  otherwise. 


The  first  clause  says  that  if  two  variable  assignments  assign  the  same  sot  of 
variables  then  their  distance  apart  depends  on  how  far  apart  their  assign¬ 
ments  of  the  variables  are.  The  second  clause  of  the  definition  says  essen¬ 
tially  that  variable  assignments  which  do  not  assign  value’s  to  the  same  set 
of  variables  are  not  "close  to"  each  other. 

If  V  is  a  fixed  variable'  assignment  and  b  >  0.  then  on  a  sufficiently  accurate 
machine  we  want  to  be  able  to  start  up  P  with  an  assignment  of  variable's  \  ' 
such  that  p(  V,V)  <  b.  For  each  assignment  I  and  b  >  0  we  can  therefore- 
define  a  degree  of  accuracy  consisting  of  those  event  syste-ms  which  .•in¬ 
accurate  enough  te>  meet  the'  above  condition. 


o 
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Definition  2.2.1:  for  any  assignment  of  program  variables  1'  anti  <;  >  0 
we  define  the  degree  of  accuracy  startup!  V,  fi )  to  he  the  set  of  all  event 
systems  T  for  P  such  that  3  an  assignment  of  program  variables  such 
that  p(V\  V)  <  6. 


□ 

The  startup  degrees  are  analogous  to  the  inputs  degrees  of  the  previous 
section. 

Again,  we  imagine  P  being  used  by  a  caller  which  wants  to  run  the  program 
with  an  initial  assignment  of  variables  1  ’  and  have  it  terminate  with  an 
assignment  of  variables  IT  such  that  R{V,\V).  What  can  we  reasonably 
specify  about  how  accurately  P  meets  R ?  Our  answer  to  this  question  will 
be  complicated  somewhat  by  the  fact  that  there  may  be  no  11"  such  that 
R(V,  W).  We  will  put  off  dealing  with  this  complication  until  later,  and  for 
the  moment  we  will  assume  that  there  exists  11"  such  that  7?(1\  11").  We  will 
refer  to  such  IVs  as  qood  variable  assignments  (“good"  in  the  sense  that 
they  are  the  variable  assignments  the  caller  would  like  to  get  close  toi.  We 
will  refer  to  the  set  of  l""s  such  that  311*  such  that  /?(!".  11")  as  the  domain 
of  R,  denoted  by  dom(/?). 

In  the  example,  the  caller  had  to  run  P  on  a  sufficiently  large  machine  and 
give  the  program  an  input  sufficiently  close  to  the  desired  input  that  it 
would  get  an  output  less  than  a  certain  error  from  the  value  of  fin'  3  ary 
addition  function.  In  the  more  general  case  we're  dealing  with  here,  there 
may  be  a  number  of  different  good  II  s.  and  the  caller  just  wants  P  to 
terminate  with  some  assignment  of  variables  which  is  close  to  one  of  the 
good  IT’s.  Suppose  the  caller  would  be  satisfied  if  the  program  terminates 
with  variable  assignment  15  '  that  is  within  ;  of  some  good  15  .  How  good 
an  approximation  1"'  to  I'  does  the  caller  need  to  start  up  P  with  in  order 
to  get  such  a  11  '?  We  claim  the  caller  must  at  least  start  up  P  with  a 
variable  assignment  V  such  that: 


1 .  V  f  dom(  R ) 

2.  VU  such  that  /?(!''.  [').  there  exists  a  good  IT  within  of  l 
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Why  must  these  conditions  he  met?  First  of  all,  suppose  the  caller  started 
up  P  with  a  F'/  dom(/Z).  P  "assumes”  that  V'  is  the  variable  assignment 
the  caller  is  actually  interested  in.  Since  there  is  no  way  it  can  terminate 
with  a  U  such  that  R(V,U),  the  program  would  be  “justified”  in  terminat¬ 
ing  with  an  exception  or  not  terminating  at  all.  Suppose  the  caller  started 
up  P  with  a  F'edom(7?)  but  there  is  some  U  such  that  R(V',U)  and  there 
is  no  good  IF  within  e  of  U .  The  program  would  be  justified  in  terminat¬ 
ing  with  a  variable  assignment  very  close  to  V .  possibly  so  close  that  it  is 
not  within  e  of  any  good  IF.  Thus,  the  caller  must  pick  some  6  >  0  such 
that  VF'  such  that  p(V,V')  <  6.  the  above  two  conditions  are  met.  and 
restrict  itself  to  starting  up  with  variable  assignments  <  6  away  from  V . 
(We  require  that  the  two  conditions  hold  for  all  V  less  than  or  equal  to  6 
away  from  F  because  otherwise  there  may  exist  F'  which  is  just  slightly  less 
than  b  away  from  F  such  that  slight  errors  in  the  program’s  arithmetic  are 
just  enough  to  allow  the  program  to  terminate  with  a  variable  assignment 
slightly  more  that  s  away  from  the  nearest  good  IF.  This  situation  was 
illustrated  concretely  in  the  Motivating  Example). 

What  if  there  is  no  such  6'!  Consider  the  following  example:  suppose  our 
specification  is  that  if  we  start  up  the  program  with  Xj  =  x  we  want  it 
to  terminate  with  Ij  =  0  if  ,r  <  \fl  and  with  I]  =  1  otherwise.  In  other 
words,  we  want  the  program  to  tell  us  if  x  <  \/2  or  not.  Suppose  the  x  the 
caller  is  interested  in  is  actually  \/2;  then  the  “good”  IF’s  are  the  ones  in 
which  Ii  =  1.  No  matter  how  small  we  take  6,  however,  there  will  be  some 
y  within  6  of  V2  such  that  y  <  \/2.  Even  if  we  ran  P  on  a  very  accurate 
machine,  if  we  gave  it  an  input  y  e  ( </2  —  <*>.  \/2).  the  program  would  be 
justified  in  terminating  with  h  =  0.  (In  fact,  for  such  a  y,  this  is  the  right 
answer). 

There  is  another  way  the  desired  l)  can  fail  to  exist.  Suppose  our  specifica¬ 
tion  is  that  if  we  start  up  the  program  with  the  value  of  Xj  =  x  and  x  is  a 
real  number  which  has  only  0's  after  the  decimal  point,  then  we  want  the 
program  to  terminate  with  Ij  =  the  integer  corresponding  to  .r;  otherwise, 
we  want  P  to  either  raise  an  exception  or  fail  to  terminate.  In  terms  of 
binary  relations  on  variable  assignments,  we  want  the  starting  and  ending 
assignments  of  variables  to  satisfy  R  where  R{V,  IF)  iff  F(X,)  has  only  0’s 
after  the  decimal  place  and  II  (I,)  is  the  integer  corresponding  to  F(Xj). 


Suppose  the  r  the  caller  is  interested  in  is  1:  then  the  specification  says  P 
should  terminate  with  I,  =  1.  Xo  matter  how  small  we  take  7>.  there  will 
be  some  y  within  6  of  1  such  that  y  does  not  correspond  to  an  integer,  and 
so  the  program  would  be  justified  is  terminating  with  an  exception  or  not 
terminating. 

We  didn’t  encounter  this  problem  in  the  Motivating  Example  because  3 
ary  addition  is  a  continuous,  total  function,  so  the  />  we  need  always  exists. 
In  the  first  example  above,  we  are  asking  P  to  compute  a  discontinuous 
function.  In  the  second  example,  we  are  asking  P  to  compute  a  function 
for  which  there  are  points  r  in  the  domain  such  that  there  are  points  y  noi 
in  the  domain  arbitrarily  close  to  x.  In  topology,  a  set  O  which  has  the 
property  that  if  x  e  O  then  36  >  0  such  that  every  y  within  7>  of  ,r  is  in  O 
is  called  an  open  set;  in  the  second  example,  we  are  asking  P  to  compute  a 
function  whose  domain  is  not  open. 

What  all  this  adds  up  to  is  that  we  can  only  expect  to  asymptotically 
compute  functions  which  have  open  domains  and  which  are  continuous  on 
their  domains.  We  must  therefore  restrict  ourselves  to  specifying  that  P 
asymptotically  compute  a  function  F  only  if  F  is  continuous  on  an  open 
domain.  We  can  express  this  in  the.  move  general  setting  of  specification 
relations  by  restricting  ourselves  to  relations  77  such  that 


W  e  dom(ii). s  >  0,  37)  >  0.  VV'[p( V'.  1'J  <  S  — >  V  e  dom(  R)  A 
VU[R(V\U)  —  3T1  *  [/?( V,  II)  a  p(ir.n  <  £■]]]] 


Given  that  we  restrict  ourselves  to  such  R  "s.  we  define  the  following  degrees 
of  accuracy: 

Definition  2.2.2:  for  any  variable  assignment  1  and  :\  7  >  0.  we  define 
the  degree  of  accuracy  accuracy/,. (I  .  f.'s)  to  be  the  set  of  all  event  systems 
T  for  P  such  that  if  1’  f  dom(/7)  and 


vr'[p(v.  v")  <  c  -  rvdomf/7)Avn/7(i'',n  —  3ir[/?n'.ir)A 

pir.irxf]]] 


28 


then  Vf  such  that  (e)  e  T  and  the  variable  assignment  associated  with  e 
is  V  and  p(V.V')  <  t>.  if  T  is  started  up  with  e  then  it.  must  eventually 
terminate  normally  in  a  state  e'  with  associated  variable  assignment  U  such 
that  3W[ft(U.  \V)  A  p(U ,  W)  <  s]  (i.e.  there  is  no  infinite  path  through  T 
which  starts  with  e,  and  any  maximal  a  e  T  which  starts  with  c  ends  with 
an  ('  meeting  the  above  condition). 


□ 

We  now  return  to  the  question  of  what  we  can  reasonably  specify  about 
how  accurately  P  meets  R  in  the  case  where  the  caller  is  interested  in 
starting  up  P  with  an  input  U  /  dom(f?).  Unfortunately,  we  don’t  have 
a  good  answer  to  this  question  at  this  point.  We’d  like  it  to  be  the  case 
that  if  we  take  a  sufficiently  accurate  implementation  and  start  it  up  with 
a  V'  sufficiently  close  to  V,  that  the  program  will  terminate  abnormally 
i  i.e.  with  an  unhandled  exception)  or  at  least  go  into  an  infinite  loop.  This 
specification  is  unfortunately  too  strict..  Consider  the  following:  suppose 
our  specification  is  that  if  we  start  up  P  with  Xt  =  ,r  ^  0  then  the  program 
terminates  with  X2  =  l/.r.  In  other  words.  P  computes  the  reciprocal 
function.  Suppose  the  x  the  caller  is  interested  in  is  0.  Suppose  that 
this  expression  is  being  evaluated  on  a  very  accurate  machine  which  uses 
some  sort  of  floating  point  representation  of  reals  such  that  for  any  y  ^  0 
representable  in  the  machine.  1/y  is  between  two  numbers  representable 
in  the  machine.  The  caller  could  input  a  number  very  close  to  0  and  still 
not  get  an  exception  or  go  into  an  infinite  loop.  In  fact,  one  can  imagine 
arbitrarily  accurate  machines  of  this  sort  and  inputs  arbitrarily  close  to  0 
which  would  not  raise'  an  exception  or  fail  to  terminate.  Thus,  even  on  a 
very  accurate  machine,  the  caller  cannot  choose  a  number  sufficiently  close' 
to  0  that  will  cause  the-  program  to  inelicate  that  the  expression  the  calh'r 
is  actually  trying  to  evaluate  (i.e\  1/0)  is  unde'fined. 

Our  "seilutiejii"  to  this  problem  at  the'  present  time  is  te>  eh'fine'  asymptotic 
computatiem  solely  in  terms  of  what  P  does  when  started  up  with  a  vari¬ 
able  assignment  V  which  is  "near"  a  I  e  elomf/?).  In  either  words,  we 
use  the  degree’s  eif  accuracy  defined  above,  which  only  concern  accuracy  e>{ 
computation  on  l"  s  in  deun(/?).  Thus,  with  our  present  definition,  prewing 
asymptotic  ceirre’ctness  of  a  preigram  eleie-s  not  tell  us  anything  aliemt  what 
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kind  of  behavior  we  can  expect  if  we  run  the  program  on  larger  and  larger 
machines  with  starting  variable  assignments  closer  and  closer  to  V'/dom (R). 
This  is  not  really  an  acceptable  solution:  we  are  still  working  on  the  prob¬ 
lem. 

The  asymptotic  specifications  are  therefore  the  degrees  startupf  V',  6)  and 
accuracy(  V,  c , 6). 

2.2.4  Asymptotic  Axioms 

Our  asymptotic  axioms  will  be  statements  of  the  same  form  as  the  accuracy^ 
degrees  about  the  execution  of  the  program  s  primitive  functions.  We  can 
simplify  the  definition  somewhat  since  the  asymptotic  axioms  are  just  spec¬ 
ifying  that  certain  functions  are  computed  accurately  (rather  than  some 
more  complicated  specification  in  terms  of  a  binary  relation  on  variable 
assignments). 

Definition  2.2.3:  for  any  assignment  node  a  with  label  v  :=  F(v \ . i'i) 

and  variable  assignment  V  and  s.d  >  0.  we  define  the  degree  of  accuracy 
primacc a(V,e,6)  to  be  the  set  of  all  event  systems  T  such  that  if  V  assigns 
a  value  to  vx,  ■ . . ,  U/  and  F{  V{  ) . V’(en  ))|  and 

W{p(V,  V")  <  6  -  F(F'(t-,) . V"(u,))I  A 

|F(V"(t’i) . V(v,))  -  F(  V’( e, ) . V(u,))\  <  e] 

then  Vct,  e,e'.  if  cr'(e.c')  (  T  and  e  -  (o.l  ')  and  p{V.  V)  <  d  then  e'  ^  ! 
and  e1  assigns  v  a  value  n ■  such  that 

i'c  -  F(  V'(  r, ) . Ft  r,))\  <  c- 

□ 

The  asymptotic  axioms  are  the  degrees  startupf  \\  b )  and  primacc0(  V*,  e.  ) 
(as  in  the  Motivating  Example,  the  degrees  which  say  we  can  approximate 


inputs  closely  are  both  part  of  the  specification  and  something  we  can 
assume). 


Note  that  the  primacc^  degrees  don't  merely  restrict  how  bad  roundoff  error, 
etc.  can  be;  they  also  restrict  the  circumstances  under  which  exceptions 
can  occur.  The  absolute  axioms  place  almost  no  restrictions  on  when  excep¬ 
tions  can  occur.  In  fact,  an  event  system  may  raise  an  exception  on  every 
assignment  statement  and  still  satisfy  the  absolute  axioms.  If  we  require 
that  more  and  more  asymptotic  axioms  are  met,  however,  we  find  that  the 
circumstances  in  which  an  event  system  is  allowed  to  raise  an  exception  are 
more  and  more  restricted. 

We  need  to  check  that  the  asymptotic  axioms  are  finitely  satisfiable.  It  is 
easy  to  see  that  for  any  finite  collection  .4  of  asymptotic  axioms  there  exists 
an  event  system  for  P  which  meets  the  absolute  axioms  and  every  axiom 
in  -4.  just  by  taking: 

1.  a  sufficiently  large  initial  segment  of  the  integers  as  the  machine’s 
integer  type 

2.  real  numbers  expressible  in  binary  floating-point  notation  with  a  suf¬ 
ficiently  large  exponent  and  mantissa  (this  only  one  of  many  choices 
one  could  make)  as  the  machine’s  real  number  type 

3.  integer  arithmetic  is  exact  unless  it  takes  us  outside  the  integer  type 
(in  which  case  raise  an  exception) 

4.  real  arithmetic  rounds  to  the  nearest  number  in  the  real  number  type 
unless  it  takes  us  above  the  largest  positive  machine-representable 
number  or  below  the  largest  negative  machine-representable  number 
(in  which  case  raise  an  exception). 


The  proof  of  the  last  statement  is  completely  analogous  to  the  proof  of 
finite  satisfiability  in  tin'  Motivating  Example,  so  we  omit  it. 

Having  stated  the  asymptotic  specifications  and  axioms,  we  can  now  make 
the  following  definition: 


31 


Definition  2.2.4:  A  program  P  asymptotically  satisfies  a  specification 
relation  R  iff  for  every  finite  set  A  of  asymptotic  specifications  for  R.  there 
exists  a  finite  set  of  asymptotic  axioms  D  such  that  for  every  model  T  of 
P ,  if  T  is  satisfies  every  axiom  in  B  then  T  satisfies  every  specification  in 
A. 

□ 
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Chapter  3 

Nonstandard  Formulation  of 
the  Theory 


The  Theory  of  the  previous  chapter  was  entirely  formulated  in  the  language 
of  classical  analysis.  In  this  Chapter  we  give  a  formulation  of  the  Theory 
in  Nonstandard  Analysis. 


3.1  Nonstandard  Mathematics 


Nonstandard  analysis  is  an  alternate  approach  to  doing  real  analysis.  It  uses 
formalizations  of  intuitive  concepts  like  “infinitesimal”  in  place  of  classical 
methods  using  limits  (the  so  called  s  —  6  approach). 

When  calculus  was  first  developed  by  Newton  and  Leibniz,  the  proofs  were 
presented  in  terms  of  “infinitesimal’'  quantities.  For  instance,  the  derivative 
i  if  x2  was  computed  by  forming  the  difference  quotient 

(x  +  dx)2  -  x2 

7l- 

with  dx  being  an  infinitesimal  quantity.  This  simplifies  by  simple  algebra 
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to  2x  +  dx.  Disregarding  the  infinitesimal.  the  derivative.  2x.  is  obtained. 
An  infinitesimal  was  a  number  which  was  positive,  but  less  than  any  given 
positive  number.  On  the  face  of  it,  this  is  inconsistent,  since  if  dx  is  positive, 
it  must  be  less  than  itself.  Attempts  to  make  this  approach  rigorous  failed, 
and  methods  involving  limits  were  developed.  To  compute  the  derivative 
of  x2  using  limits,  instead  of  using  a  single  infinitesimal  dx,  one  examines 
what  happens  to  the  quantity 

(x  +  A.r)2  -  ,r2 
Ax 

as  smaller  and  smaller  values  of  Ax  are  plugged  in.  One  can  show  that 
the  Ax  difference  quotient  can  be  made  as  close  as  one  wants  to  2x  by 
constraining  Ax  to  be  less  than  a  certain  size. 

In  the  1960’s  logicians  developed  a  way  to  make  the  methods  of  Newton  and 
Leibniz  rigorous,  and  the  resulting  alternate  approach  to  analysis  is  called 
Nonstandard  Analysis.  (We  prefer  the  term  "Nonstandard  Mathematics", 
since  the  methods  used  are  applicable  in  other  areas  of  mathematics  be¬ 
sides  analysis,  and  will  use  this  term  hereinafter).  The  essential  feature 
of  Nonstandard  Analysis  is  the  addition  of  “nonstandard  elements’"  of  the 
domain  of  discourse  which  are  then  used  to  prove  results  about  the  origi¬ 
nal,  standard  domain.  In  this  way  it  is  similar  to  the  construction  of  the 
complex  numbers  from  the  reals.  To  get  the  complex  numbers,  one  simply 
adds  a  new  number  denoted  by  ?.  assumes  that  it  obeys  the  axiom  i2  —  —  1 
plus  the  algebraic  laws  of  the  reals  (e.g.  commutativity  of  addition),  and 
computes  with  it  formally.  The  resulting  extended  number  system,  the 
complex  numbers,  can  then  be  list'd  to  obtain  easier  proofs  of  results  about 
the  reals,  like  t lit'  Fundamental  Theorem  of  Algebra. 

Let’s  consider  what  it  would  mean  to  add  an  infinitesimal  to  the  standard 
real  numbers  in  a  purely  formal  way.  Let  L  be  the  first  order  language 
with  the  following  symbols: 


•  For  each  n  ary  predicate  /’  over  R.  we  have  an  n  ary  predicate  sym¬ 
bol  P  whose  interpretation  is  P. 
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•  For  each  11-ary  function  /  over  R,  we  have  an  n-ary  predicate  symbol 
/  whose  interpretation  is  /. 

•  for  each  real  number  r  we  have  a  constant  symbol  r  whose  interpre¬ 
tation  is  r. 

Let  T  be  the  set  of  all  first -order  sta  tements  in  the  language  L  which  are 
true.  T  is  what  is  called  the  complete  theory  of  R  over  L.  Intuitively,  it 
contains  all  the  first-order  facts  about  R. 

Next,  we  add  a  new  symbol  e  to  our  language.  This  is  intended  to  be  the 
name  of  the  infinitesimal  we’re  adding.  We  also  add  to  T  the  axiom  e  >  0. 
We’d  like  the  add  an  axiom  which  says  that  e  is  less  than  any  given  positive 
real  number.  If  we  add  the  axiom  Vx  >  0,  e  <  x  we  get  an  inconsistent 
system,  because  e  itself  is  positive.  We  don’t  really  want  this  axiom  though; 
what  we  really  want  to  assume  is  that  e  <  x  for  all  of  the  standard  ,r’s, 
i.e.  the  real  numbers  that  we  started  with.  We  can  do  this  in  a  formal  way 
by  adding  a  separate  axiom  s  <  r  for  every  standard  positive  r.  Call  the 
resulting  system  T'. 

Lemma  3.1.1:  T'  is  consistent. 

Proof:  This  follows  essentially  from  the  fact  that  first-order  logic  is  a 
finitary  logic,  i.e.  every  proof  is  a  finite  derivation  from  a  finite  set  of 
axioms.  Therefore,  if  there’s  a  proof  of  a  contradiction  from  a  set  of  axioms, 
there  must  be  a  proof  of  a  contradiction  from  some  finite  subset  of  the 
axioms.  Suppose  T'  were  inconsistent.  There  must  then  be  a  certain  finite 
set  T0  C  T  and  a  finite  set  of  positive  reals  rj, . . .  ,rn  such  that  there  is  a 
proof  of  contradiction  from  the  axioms  of  T0  plus  z  >  0  plus  the  axioms 
£  <  r,  for  i  =  l,...,n.  Since  first-order  logic  is  sound,  this  means  that 
there  is  no  model  for  this  finite  set  of  axioms.  Suppose,  however,  that  we 
interpret  the  symbol  e  to  be  the  real  number  obtained  by  taking  the  smallest 
of  the  r,  and  dividing  it  by  2.  This  interpretation  makes  all  the  axioms  of 
the  finite  subset  true.  Therefore,  no  finite  subset  of  T’  is  inconsistent,  so 
T'  as  a  whole  is  not  inconsistent. 


By  the  completeness  of  first  order  logic.  ;my  consistent  theory  has  a  model. 
Thus,  there  exists  some  model  of  T'.  Call  this  model  M .  Since  our  language 
has  a  constant  symbol  r  for  every  r  e  R.  and  since  every  such  constant 
symbol  has  an  interpretation  A/(r)  in  M .  we  can  embed  R  into  M  by  the 
mapping  r  i— *■  A/(r);  without  loss  of  generality,  we  can  identify  R  with  its 
image  in  M  and  just  assume  that  R  C  A/.  We  know  that  there  is  at  least 
one  element  of  M  which  is  not  in  R,  namely  the  interpretation  of  e.  Also, 
since  M  is  a  model  of  T'  we  know  that  5  is  a  positive  number  which  is  less 
than  every  positive  numlrer  in  R.  Thus,  we  have  added  an  infinitesimal. 
Also,  our  new  number  system  A/  has  all  the  same  first  order  properties 
that  R  does,  because  M  is  a  model  of  T.  the  complete  first  order  theory  of 
R.  Also,  every  predicate  and  function  on  R  has  an  extension  to  A/.  Such 
extensions  of  one  model  by  another  that  preserve  all  first  order  properties 
are  called  elementary  extensions. 

The  construction  of  a  nonstandard  extension  of  the  reals  is  actually  slightly 
more  complicated.  The  thing  that  made  the  above'  construction  work  is 
that  we  had  an  infinite  collection  of  "requirements"  on  e  that  were  finitely 
satisfiable  in  the  original,  standard  reals.  In  other  words,  we  wanted  £  less 
than  every  standard  positive  real  number,  and  for  any  finite  set  of  positive 
real  numbers  there  is  a  standard  real  that  is  less  than  everything  in  the 
finite  set.  This  finite  satisfiability  allowed  us  to  show  that  any  finite  subset 
of  the  theory  T  had  a  model,  and  was  therefore  consistent,  and  so  T'  was 
consistent.  In  fact,  we  could  do  the  above  construction  for  any  collection  of 
requirements  which  was  finitely  satisfiable.  If  the  requirements  cannot  all 
be  satisfied  in  the  standard  reals,  as  was  the  case  in  the  above  construction, 
the  A/  we  get  is  a  proper  elementary  extension  of  R  in  which  the  collection 
of  requirements  is  satisfiable  by  a  single,  nonstandard  number. 

In  the  actual  construction  of  a  nonstandard  extension  of  R.  we  do  t  he  above 
construction  for  all  finitely  satisfiable  collections  ot  requirements  at  once. 
Before  giving  the  construction,  we  say  precisely  what  we  mean  by  a  finitely 
satisfiable  collection  of  requirements. 

Definition  3.1.1:  If  jq . r„  are  variables  in  the  language  ot  a  collec¬ 
tion  of  requirements  over  .iq . r„  is  a  set  I  of  formulas  111  the  language 

L  such  that  for  ('very  Of  F.  the  free  variables  of  o  are  among,  .iq .  ..  h 


is  finitely  satisfiablc.  iff  for  every  finite  set 


{  Oi  (  J  j . i  n  )'  •  •  •  1  *  •  •  ■  i  %  ri )  } 

of  formulas  of  F,  there  exists  »'|,...,rn  e  R  such  that  for  i  = 
Oi(r, . r„ )  is  true. 


□ 

Let  L  and  T  be  as  before.  For  every  finitely  satisfiable  collection  of  re¬ 
quirements  F  on  variables  jq . .r„,  we  add  distinct  constant  symbols 

<  r  i . cpn  to  the  language.  We  then  add  to  T  the  axioms  4>{cpiX, . . . ,  cpn) 

for  every  6  e  F.  Call  the  resulting  theory  T' .  Every  finite  set  To  C  T'  in¬ 
volves  at  most  finitely  many  F‘ s.  and  for  each  such  F,  there  are  only  finitely 
many  o  s  from  F  in  the  subset.  By  the  finite  satisfiability  of  the  F’s,  we 
can  interpret  all  the  new  constants  in  T0  in  R  so  as  to  make  all  the  axioms 
of  7’o  true.  Thus.  T'  is  consistent,  and  so  has  a  model  M.  As  before,  R  can 
be  considered  to  be  a  subset  of  M .  M  is  an  elementary  extension  of  R,  and 
every  collection  of  requirements  which  is  finitely  satisfiable  in  R  is  actually 
satisfiable  in  M  (i.e.  there  exist  elements  of  At  making  all  the  formulas  in 
the  collection  true)- 

We  can  apply  this  construction  to  other  sets  besides  R.  In  fact,  we  can 
apply  it  to  any  set. 


3.2  Axiomatizing  Nonstandard  Mathemat¬ 
ics 


Nonstandard  methods  can  be  applied  by  reasoning  about  nonstandard  mod¬ 
el."  It  is  desirable,  however,  to  have  an  axiomatic  system  for  nonstandard 
mathematics.  Such  a  system  is  developed  in  [2j.  We  have  been  using  the 
system  in  [2]  as  the  basis  for  our  verifications.  We  now  describe  it. 

Zermelo-Fraenkel  set  theory  with  the  axiom  of  choice  (usually  abbreviated 
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ZFC)  is  an  axiomatic  system  in  which  nil  standard  mathematics  can  he 
clone.  The  language  of  ZFC  has  only  two  symbols:  a  binary  predicate 
symbol  for  equality  and  a  binary  predicate  symbol  e  for  set  membership 
(i.e  “x  e  y ”  means  “x  is  an  element  of  y").  We  can  therefore  think  of  a 
model  of  ZFC  as  a  “universe”  for  standard  mathematics.  A  nonstandard 
extension  of  such  a  model  should  then  be  a  "universe”  for  nonstandard 
mathematics.  In  [2],  an  axiom  system  for  these  nonstandard  universes 
called  1ST  is  formulated.  1ST  is  obtained  as  follows:  starting  with  a  given 
model  M  of  ZFC,  one  constructs  a  nonstandard  extension  of  M'.  In  M', 
there  is  an  interpretation  of  e  which  satisfies  all  of  the  axioms  of  ZFC.  Wo 
then  add  a  unary  predicate  “st”  to  the  language,  and  interpret  it  in  M'  as 
the  set  of  all  elements  in  M .  Finally,  we  examine  what  useful  axioms  in 
the  language  of  =,  e  and  st  hold  in  an  arbitrary  such  M'.  1ST  consists 
of  all  the  axioms  of  ZFC  plus  the  additional  axioms  covering  nonstandard 
mathematics.  These  additional  axioms  are  presented  in  3  schemas.  They 
are: 

1. 

Vs1  x | . i„[o  «-»  oM] 

where  0  is  an  arbitrary  formula  with  no  occurrences  of  the  predicate 
st,  Xj, . . .  .  xn  includes  all  the  free  variables  of  0.  and  0s'  means  o  with 
every  quantifier  Vy  replaced  by  Vs1?/  and  every  quantifier  3y  replaced 
by  3sly.  What  this  schema  is  expressing  axiomatically  i>,  the  fact 
that  M'  is  an  elementary  extension  of  M .  It  says  that  if  wo  have  any 
formula  in  the  language  of  standard  mathematics  containing  standard 
parameters,  then  it  holds  in  the  nonstandard  universe  (i.e.  o  holds) 
iff  it  holds  in  the  standard  universe  (i.e.  holds).  This  schema  is 
called  the  transfer  principle.  (Formulas  which  contain  no  occurrences 
of  the  st  predicate  are  called  internal  formulas). 

2, 

yst  fume,  gT_  v?y  f  0( ,r,  y)  «-*  3.r.  Vs1?/.  6(.r.  y) 

where  0  is  an  internal  formula  in  which  :  does  not  occur  free.  What 
this  schema  is  expressing  is  the  fact  that  every  finitely  satisfiable  col¬ 
lection  of  requirements  from  the  standard  universe  on  a  single  variable' 


.r  is  satisfied  in  the  nonstandard  universe.  We  think  of  the  formula 
d>(x,  y)  as  defining  an  infinite  collection  of  requirements  on  .r,  indexed 
by  standard  elements  ij.  The  left  hand  side  of  the  schema  says  the  this 
collection  is  finitely  satisfiable  in  the  standard  universe,  i.e.  for  all  fi¬ 
nite  sets  :  of  standard  elements,  there  is  a  single  x  which  satisfies  the 
requirements  J  ;/ec}.  The  right  hand  side  says  there  is  a  sin¬ 

gle  .r  which  satisfies  all  of  the  requirements  {©(.r,y)  |  y  is  standard}. 
The  schema  states  that  the  two  are  logically  equivalent.  This  schema 
is  called  the  principle  of  idealization. 

3. 


Vs*  x.  3'V  Vs';.  [:  f  1/  h  ;  f  x  A  <j>{  ~ )] 

where  o  is  any  formula  in  which  y  does  not  occur  free  (but  st  can  occur 
in  o.  This  axiom  essentially  expresses  the  fact  that,  any  collection 
of  standard  elements  that  we  can  define  (even  using  nonstandard 
methods)  has  a  stv  ■  lard  'extension'  in  the  nonstandard  universe. 
This  schema  is  called  the  principle  of  standardization. 


In  [2]  an  important  theorem  is  proved,  namely  that.  1ST  is  conservative  over 
ZFC.  What  this  means  is  that  any  statement  in  the  language  of  ZFC  (i.e. 
no  occurrences  of  "st"  )  which  we  can  prove  in  1ST  can  be  proved  from  ZFC 
alone.  This  tells  us  that  the  use  of  nonstandard  methods  doesn't  change 
the  underlying  standard  universe.  Since  the  standard  world  is  what  we're 
really  interested  in.  this  result  is  essential. 


3.3  Nonstandard  Formulation  of  the  Theory 


One  of  the  most  attractive'  features  of  nonstandard  mathematics  is  that 
definitions  become  simpler  and  more  intuitive.  For  example,  the  classical 
definition  of  a  sequence  of  reals  }.r,  j  i  =  0.1,...}  converging  to  a  real 
number  r  is:  Vs  >  0.  3N  such  that  V;  >  .V.  |.r,  -  ,r|  <  r.  In  other  words,  wo 
can  make  the  difference  between  ,r  and  the  terms  of  the  sequence  as  small 
as  possible  by  looking  sufficiently  far  out  in  the  sequence.  The  nonstandard 


definition  of  convergence  is  that  V  infinite  ?,  |.r ,  —  ,r|  is  infinitesimal.  ( We  can 
take  “infinite"  to  mean  “I/2  is  infinitesimal”).  The  nonstandard  definition 
has  many  fewer  quantifiers  than  the  standard  definition.  Also,  it  is  more 
intuitive  (x,  for  “large"  i  are  “close  to"  r.).  In  fact,  this  is  the  major  reason 
for  formulating  our  Theory  in  terms  of  nonstandard  mathematics:  all  the 
definitions  become  simpler  when  formulated  in  nonstandard  terms. 

In  this  section  we  give  nonstandard  equivalents  of  asymptotic  satisfaction 
for  standard  programs  P  and  standard  specifications  R.  The  nonstan¬ 
dard  versions  are  actually  logically  equivalent  to  the  standard  ones  in  1ST. 
Because  1ST  is  conservative  over  ZFC,  any  statement  in  the  language  of 
ordinary  mathematics  (e.g.  statements  about  error  magnitudes)  which  we 
prove  using  nonstandard  methods  and  the  nonstandard  definition  of  asymp¬ 
totic  satisfaction  will  be  provable  using  standard  methods  and  the  standard 
definition.  In  general,  however,  the  nonstandard  proofs  are  much  more  in¬ 
tuitive  and  much  easier  to  construct  and  read. 

For  the  remainder  of  the  discussion  we  fix  a  standard  program  P  and  a 
standard  specification  R  for  P. 

Definition  3.3.1:  If  T  is  a  model  for  P.  T  is  hypcraccurate.  iff  T  satis¬ 
fies  all  standard  asymptotic  axioms,  i.e.  iff  Vs1  V,  e,  6,  q[T  e  startup(  V.  6)  A 
T  e  primacca(V',  e,  <5)] 


□ 

Definition  3.3.2:  If  T  is  a  model  for  P,  T  hypersatisfies  R  iff  T  satisfies  all 
standard  asymptotic  specifications  for  /?.  i.e.  iff  V5H7,  e,  6[T e startup!  V.  6)  A 
T  f  accuracy^,  s,  5)]. 


□ 

I11  1ST  we  have  the  following  equivalence:  P  asymptotically  satisfies  R  iff 
every  hypcraccurate  model  of  P  hypersatisfics  R. 

We  will  next  obtain  more  useful  characterizations  of  a  model  being  hyper- 
accurate  and  a  model  hypersat.isfying  a  specification. 
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Definition  3.3.3:  If  .r,  y  e  R.  r  ~  y  (read  ux  is  infinitely  close  to  y ”)  iff 
|.r  —  y|  is  infinitesimal.  If  V,  V  are  variable  assignments,  V  r;  V  iff  p(V.  V) 
is  infinitesimal. 

□ 

V  ~  V  iff  V'  and  V'  make  the  same  variables  defined  and  undefined,  and 
assign  the  same  values  to  the  integer  variables,  and  for  all  real  variables  X. 
r(X)  %  i"(X). 

In  1ST  we  have  the  following  equivalence:  a  model  T  of  P  satisfies  all 
standard  startup  axioms  iff  V^V.  3a,  F'[{(a,  V'))eT A  V"  %  V'].  In  particular, 
if  T  is  hyperaccurate  then  any  standard  l'  can  be  approximated  infinitely 
closely  by  a  V'  that  T  can  start  up  with. 

In  1ST  we  have  the  following  equivalence:  a  model  T  of  P  satisfies  all 
standard  accuracy  R  axioms  iff  Vs1 1 '  e  dom(  R).  a,  V,  if  ((a,  V'))  e  T  and  V  % 
l  ’  then: 

1.  There  are  no  infinite  paths  through  T  whose  first  element  is  (a.V). 

2.  For  every  a  maximal  in  T.  if  cr’s  first  element  is  (a,  V')  then  the  last 
element  of  a  is  (J.U)  and  3U'[i?(  V',  IF)  A  IF  %  U). 

In  particular,  if  T  hypersatisfies  7?  then  if  we  start  up  T  with  an  infinitely 
close  approximation  to  V  e  dom(/?),  T  will  eventually  terminate  with  a 
variable  assignment  which  is  infinitely  close  to  some  assignment  IF  such 
that  R{  F,  IF). 

Definition  3.3.4:  A  real  number  x  is  finite  iff  there  exists  a  standard  y 
such  that  |.r|  <  ;/.  An  integer  is  finite  iff  the  corresponding  real  is  finite.  A 
variable  assignment  I  is  finite  iff  every  variable  F  assigns  is  assigned  a  finite 
value  (whether  integer  or  real);  equivalently,  iff  3stF'  such  that  F  V. 

□ 

In  1ST  we  have  the  following  equivalence:  if  a  is  an  assignment  node  with 
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label  v  f(vi, .  .  . ,  v/)  and  F  ^  then  a  model  T  of  P  satisfies  all 

primacc,  axioms  iff  V(7,e,e',  if: 


•  cr~ (e,  e')  e  T 

•  e  —  (a,  V) 

•  V  is  finite 

•  V  assigns  values  to  tq,...,  vt  and  ) . Vr(u<)H 

then  e'  ^  !  and  e'  assigns  v  a  value  w  such  that  w  ss  F(V( Vj) . V(e/)). 

For  division,  we  have  the  following  equivalence:  If  o  is  an  assignment  node 
with  label  a  :=  b/c  then  a  model  T  of  P  satisfies  all  standard  primacc, 
axioms  iff  V<r,  e,  e',  if: 


•  cr‘  (e,  e')  e  T 

•  e  =  (a,  V) 

•  V  is  finite 

•  f7  assigns  values  to  b  and  c  and  f7(c)  is  not  infinitesimal 


then  e'  !  and  e'  assigns  a  a  value  te  such  that  u>  ~  V ( fe)/V'( c). 

In  particular,  if  T  is  hypcracc urate  then  computations  of  operations  other 
than  division  on  finite  inputs  introduce  only  infinitesimal  error,  and  compu¬ 
tations  of  division  on  finite  inputs  only  introduce  infinitesimal  error  when 
not  dividing  by  an  infinitesimal. 

By  the  above  facts,  if  we  want,  to  prove  that  a  standard  program  asymptot¬ 
ically  satisfies  a  standard  relation  /?.  it  is  sufficient  to  let  T  be  an  arbitrary 
hyperaccuratc  model,  and  prove  that  it  hvpersatisfies  R. 


Chapter  4 

A  Sample  Verification 


In  this  chapter  we  apply  the  Theory  to  verify  (informally)  the  asymptotic 
correctness  of  a  program  P  to  find  roots  of  a  standard  continuous  function 
/  :  R  — *  R  We  will  freely  vise  elementary  facts  from  nonstandard  analysis 
without  proving  them;  the  details  can  be  found  in,  e.g.  [l].  In  particular, 
we  will  need  to  use  the  nonstandard  definition  of  continuity  of  f  in  the 
verification.  In  nonstandard  analysis,  a  standard  function  is  continuous  if. 
for  every  standard  r,  if  y  ~  x  then  f(y)  %  /(: r). 

The  flow  chart  for  the  program  is  pictured  on  the  next  page.  It  has  3  real 
valued  variables,  A.  B,  X  and  \  .  What  we  will  verify  about  the  program 
is  that  it  asymptotically  satisfies  the  following  condition:  if  it  is  started 
up  with  A  and  B  defined  and  A  <  B  and  /(A)  <  0  <  /(B)  then  it  will 
eventually  terminate  with  X  defined  and  /(X)  =  0.  We  know  from  the 
Intermediate  Value  Theorem  of  real  analysis  that  such  a  root  must  exist. 

Let  s  recall  what  it  means  for  a  program  to  meet  such  a  specification  asymp¬ 
totically.  It  means  that  if  we  have  fixed  numbers  x  and  y.  and  r  <  y  and 
fix)  <  0  <  f(y).  and  a  c  >  0,  then  on  a  sufficiently  large  machine,  if 
we  run  the  program  with  A  and  B  sufficiently  close  to  r  and  y.  then  the 
program  will  terminate  with  a  value  for  X  that  is  within  t  of  a  root  of  f . 
V\e  will  have  verified  this  statement  if,  assuming  the  program  is  started  up 
with  A  and  B  infinitely  close  to  standard  r  and  y  such  that  x  <  y  and 
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/(.c)  <  0  ■  :  and  assuming  that  the  program's  arithmetic  operations 

only  introduce  infinitesimal  error  on  finite  values,  we  van  prove  that  the 
program  terminates  with  X  defined  and  infinitely  close  to  a  standard  root 
c  of  /.  (We  must  .also  assume  that  /  is  computed  with  only  infinitesimal 
error  on  finite  elements.  This  would  presumably  In'  done  by  some  other 
program  which  P  would  call  which  had  been  verified  to  compute  f  asymp¬ 
totically.  W e  will  assume  for  simplicity  that  there  is  some  function  /m  such 
that  the  machine  computed  value  of  /(. r)  is  /m(.rl.  In  general,  of  course. 
P  need  not  compute  the  same  value  for  /(.r)  twice  in  a  row.  The  program 
can  be  verified  without  this  assumption,  hut  the  proof  in  that  case  involves 
details  which  would  he  counterproductive  here). 

The  program  attempts  to  find  a  root  l>y  the  method  of  bisection.  It  executes 
a  loop  m  which,  in  each  pass  through,  it  does  the  following:  it  first  takes 
the  midpoint  of  it-  cm  tent  2  endpoints,  and  computes  t In*  value  of  f  there. 
If  it  is  0.  the  program  halt-.  If  it  is  negative,  the  midpoint  becomes  the 
"new  lower  endpoint,  and  the  loop  continues.  If  it  is  positive,  the  midpoint 
becomes  the  "new  upper  endpoint,  and  the  loop  continues. 

How  do  we  make  sure  <  hat  the  program  terminates"  If  it  were  running 
on  a  machine  with  idea!  arithmetic,  it  would  he  enthely  possible  that  the 
program  would  never  actually  find  a  root,  hut  would  just  get  values  of  A 
and  B  tnat  were  closer  and  closer  ton  root.  We  know  this  can  t  happen  on 
a  finite  much-lie.  however,  because  to  do  so  would  rent  lire  that  A  and  B  pass 
througn  an  infinite  number  of  distinct  real  values  m  the  course  of  running 
the  program.  W  hat  irindil  happen  on  a  finite  machine.  On  a  very  accurate 
hut  finite  machine,  execution  would  look  very  much  like  execution  on  an 
ideal  machine  for  a  while.  A  .  the  values  of  A  and  B  got  verv  close  to  each 
other,  however,  there  would  come  a  point  where  the  distance  between  A  and 
B  was  less  than  fin’  roundoff  on  or  m  computing  the  midpoint  of  the  two. 
This  would  resuit  in  tiie  program  computing  a  value  for  the  midnoint  which 
would  round  to  one  nt  the  endpoint or  possible  even  to  a  muni >er  outside 
the  endpoints.  Since  boolean  tests  ;i-c  exact,  w-  can  detect  this  condition 
P  check  after  each  computation  ot  the  midpoint  to  see  if  the  computed 
value  is  between  flic  endpoint.-.;  d  it  is  not.  the  program  terminate 

The  argument  we  have  ui,t  gr a  n  proves  that  the  program  always  terminates 
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normally  if  there  are  no  unhandled  exceptions.  Notice  that  there  are  no 
“exception”  arrows  in  our  flow  chart,  so  we  had  better  be  able  to  prove 
that  no  unhandled  exceptions  occur.  It’s  easy  to  show  that  there  are  no 
exception  due  to  referencing  undefined  variables,  since  we  assume  that  A 
and  B  are  defined  initially  and  every  other  variable  is  assigned  to  before 
the  first  time  it  is  referenced.  The  only  other  kinds  of  exception  that 
can  occur  are  exceptions  due  to  attempting  to  evaluate  an  expression  on 
arguments  that  are  not  finite,  and  attempting  to  divide  by  an  infinitesimal. 
The  latter  kind  can’t  happen  because  the  only  division  in  the  program  is 
division  by  2,  which  is  not  infinitesimal.  To  show  that  the  former  sort  can’t 
happen  it  would  suffice  to  show  that  whenever  control  reachs  an  assignment 
statement,  the  values  of  A,  B  and  X  are  finite  (when  defined),  since  these 
are  the  only  variables  which  appear  on  the  right  hand  side  of  an  assignment 
statement.  We  will  argue  something  stronger,  namely  that  whenever  control 
reachs  an  assignment  statement,  the  values  of  A,  B  and  X  (when  defined) 
are  all  between  the  initial  two  values  of  A  and  B.  Call  these  initial  values  a 
and  b  respectively.  We  prove  this  statement  by  induction  on  the  number  of 
steps  the  program  has  executed.  Suppose  that  there  is  some  integer  n  such 
that  after  n  steps,  control  comes  to  an  assignment  statement  and  one  of  A, 
B  or  X  is  defined  and  not  between  a  and  b.  Choose  n  as  small  as  possible. 
We  consider  each  assignment  statement  separately,  and  show  for  each  one 
that  control  cannot  be  at  the  statement  at  time  n. 

X  :=  ( A  +  B)/2.  The  first  time  control  reachs  this  statement  X  is  undefined 
and  A  —  a  ana  B  =  6.  Thus,  n  cannot  correspond  to  the  first  time  control 
reachs  this  point.  Any  other  time  control  reachs  this  point,  it  must  have 
been  at  B  :=  X  or  A  :=  X  after  n  —  1  steps.  By  minimality  of  n,  A,  B  and 
X  must  all  have  been  between  a  and  b  at  step  n  —  1,  and  since  at  step  n  —  1 
we  are  only  assigning  one  variable  the  value  of  another,  the  values  of  the 
three  variables  must  be  between  a  and  b  after  executing  step  n  —  1  and  so 
also  before  executing  step  n. 

Y  :=  /(X).  If  control  is  at  this  statement  at  time  n  then  it  was  at  X  :  = 
( A  +  B)/2  at  time  n  —  2.  By  minimality  of  ?j,  this  means  that  A  and  B  must 
have  been  between  a  and  b  before  executing  step  n  —  2,  and  therefore  after, 
since  step  n  —  2  only  assigns  to  X.  At  step  n  —  1  control  must  have  been 
at  the  test  statement  A  <  X  <  B.  If  control  passed  to  Y  :=  /(X)  rather 
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than  HALT,  it  must  be  that  the  value  of  X  at  time  n  —  1  was  between  the 
values  of  A  and  B,  and  therefore  between  a  and  b.  Test  do  not  affect  the 
values  of  variables,  so  all  three  variables  would  have  to  have  been  between 
a  and  b  at  time  n. 

A  :=  X.  If  control  is  at  this  statement  at  time  n  then  it  must  have  been 
at  statement  Y  :=  /(X)  at  time  n  —  3.  By  minimality  of  n,  the  values  of  A. 
B  and  X  must  have  been  between  a  and  b  at  time  n  —  3,  and  none  of  the 
statements  executed  at  times  n  —  3,  n  —  2  and  n  —  1  affect  the  values  of  A. 
B  or  X,  so  they  must  still  be  between  a  and  b  at  time  n. 

B  :=  X.  The  argument  here  is  identical  to  that  for  the  previous  case. 

This  establishes  that  no  exception  occurs  in  the  program,  so  it  terminates 
normally.  It  obviously  terminates  with  X  defined,  because  this  happens  at 
the  first  assignment  statement.  It  is  also  easy  to  prove  by  induction  that 
at  all  points  in  the  execution  of  P,  A  <  B  and  the  values  of  A  and  B  are 
such  that  the  machine- computed  value  of  /(A)  is  <  0  and  the  machine 
computed  value  of  /(B)  is  <  0.  This  is  ensured  by  the  Y  =  0  and  Y  <  0 
test.  We  emphasize  that  the  actual  values  may  not  have  the  same  sign  as 
the  machine-computed  values,  but  we  don’t  need  them  to  be  the  same  sign 
to  verify  our  program.  We  will  now  prove  directly  that  X  is  infinitely  close 
to  a  root  of  /  at  termination.  There  are  two  cases,  corresponding  to  the 
two  HALT  statements. 

If  P  halts  after  the  A  <  X  <  B  test,  we  claim  it  must  be  the  case  'hat 
A,  B  and  X  are  all  infinitely  close  to  each  other.  Prior  to  the  test,  X  was 
assigned  to  (A  +  B)/2.  The  computation  of  this  expression  can  introduce 
infinitesimally  much  error,  so  all  we  really  know  is  that  after  the  assignment 
statement. 


X  % 


A  +  B 

9 


Since  control  passes  to  HALT  after  the  test,  it  must  be  the  rase  that  either 
X  <  A  or  X  <  B.  Consider  the  first  case.  Since  A  <  B. 
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A  -I-  13 


A  < 

Therefore.  A  is  between  X  and  (A  f  B)/2.  and  the  last  two  numbers  are 
infinitely  close,  A.  X  and  (A  +  B  1/2  are  all  infinitely  close  to  each  other. 
Also,  this  means  that 


A  4  13  B  -  A 

2  2 

is  infinitesimal,  so  B  —  A  is  infinitesimal.  so  A  ~  B.  By  elementary  nonstan¬ 
dard  analysis,  all  three  of  A.  B  and  X  must  therefore  he  (dose  to  a  single 
standard  real  number  Also,  by  the  assumption  that  P  asymptotically 
computes  f  and  /  i-  continuous. 

f,  i  A  i  -  /j  A  i 

-  f<  -  i 
=  f<  B  i 

-  //.(B) 

But  the  first  and  last  numbers  me  of  opposite  sign.  The  only  way  two 
numbi ts  can  1  x ■  inlinit (  ly  .dose  to  ,  1 < d i  other  and  of  opposite  sign  is  if  t hey 
are  intinitesimal,  1  herefi  •  !■■.  / (  :  i  is  infiniti-siintd.  But  f  and  u  are  standard, 
so  ft  :  i  i  stan«hud.  and,  the  only  s’ :'.ndar<l  number  which  is  infinitesimal  i' 
■  >.  Therefoie.  :  is  a  stale  iaid  t  ■  : 1 1  of  f.  and  tin'  program  terminates 

with  X 

ts  t  n  i  pose  /’  halts  ; ,  I ,  e;  i|  a.  [‘here  exists  some  standard  '  :u 

united  .dose  to  X.  so 

I '  f  X  > 

/  I  X  ) 

v,  ft  t 


so  again,  we  have  /( = )  infinitesimal,  which  implies  t  hat  =  must  he  a  bandar 
root  of  /,  and  the  program  terminates  with  X  ~  r. 


Appendix  A 


Notation 


In  this  Appendix  we  list  some  notations  that  we've  used  in  the  precedin'*, 
chapters. 

•  x  f.  A  means  "x  is  an  element  of  (set)  A.”  A”  C  means  “A  is  a 
subset  of  1.” 

•  (xj . .  . . ,  .r„)  is  the  finite  sequence  with  entries  .rj , . . . ,  xn  (in  that  or¬ 
der).  ()  is  the  unique  sequence  of  length  0,  or  the  empty  sequence. 

•  o  ■<  t  means  the  sequence  t  extends  the  sequence  a  to  the  right. 

•  o'  r  stands  for  the  concatenation  of  the  sequences  o  and  r. 

•  |.r|  is  the  absolute  value  of  .r. 

•  /:!)—*/?  means  " f  is  a  function  from  D  into  /?." 

•  /J.  means  "t  is  defined”.  / T  means  ”/  is  undefined. "  s  ~  t  mean  "•>  is 
defined  iff  t  is.  and  if  s  and  t  are  defined,  they  are  equal  ." 

•  Vs1. v.  b  means  "for  all  standard  x.  O  holds.  "  3s,.r.  O  means  "there 

exists  standard  x  such  that  o  holds. 
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ATTN:  Cot  Wilkenson 
l>  .0.  Pox  9  79*0 
W o  r  l  i  m a  y  Postal  Center 
LoS  Angeles  CA  903  09-2960 

jCi/IM 

ATTN:  Col  Mohman 
P  .  9  .  6  o  x  >7960 
W  o  r  i  d  ,,  a  y  Postal  Center 
Los  Anqeles#  CA  93339-2960 


SD/CNIS 

ATTN:  Lt  Col  Pennell 
P.0.  Box  2960 
Worldway  Postal  Center 
Los  Anqeles#  CA  90009-2963 


DL-13 


S  D/CNW 

P.O.  Box  2960 
Worldway  Postal  Center 
Los  Angeles*  CA  90039-2960 


S  0  /  CWX 

P.O.  8o*  2960 
Worldway  Postal  Center 
Los  Angeles*  CA  90309-2960 


S  0/ CNB 

P.O.  Bo*  2960 
Worldway  Postal  Center 
Los  Angeles*  C«  93309-^960 


E  SO/AT 

ATTN:  Col  Dau  l 

Hansco*  AFB*  M  C1731-5QOO 


ESO/ ATS 

ATTN;  Lt  Col  Oldenberg 
Hanscom  AFB*  “A  01731-5030 


E  S  0/ A  TN 

ATTN:  Lt  Col  l**ib 
Hanscom  A  F  3*  V  A  01731-SQ30 


A.'STC/XLX 

ATTN:  Lt  Cot  D  <■  t  uc  C  i 
K  1  r  t  l  an  d  A  F  3*  \\  8  71  1  7 


USA  SCC/ CASD-H-SP 
ATTN:  Larry  Tub  Os 
P.O.  Bo*  1  SCO 
Hoot  svil  le*  al  35837 


DL-14 


ANSES  Corp 

Suite  «1  0 

Crystal  Gateway  5 

1215  Jefferson  Cavis  highway 

Arlington/  ■/  A  7 

I  D  A 

4  T  TN  ;  Albert  Perrelia 
18 '11  \  .  Beaureqara  Street 
A  l  e  x  an  0  r  i  a  /  7  A  2  2  511 


A  F  OTE  C/ XP  P 

ATTN:  Caot  «  r  o  t  e l 

Mrtlanj  A  F  rj/  NM  6  71  1  7 


AF  S  0  a  C •  Comeand/X^XIS 

J°  t  e  r  so."  Arg,  r-,  grig  14-soni 


n  1  rector  N  8  A 

ATTN:  George  Hoover,  v  /,  5 
9810  Savagn  P  o  <  0 
Ft  George  0  .  v  »  a  J  e  , 


*0  2  0  75  5- 6") JO 


MISSION 

of 

Rome  Air  Development  Center 

RADC  pla.ru  and  execu te.4  Ae4eaAch,  de.ve.lopme.nt,  te4t 
and  selected  acqu.t4i.tton  pA.ogA.am4  tn  4uppoAt  oj 
Command,  ContAol,  Communtcatton4  and  Intelligence. 

activitie4.  Technical  and  engineeAing 
4uppoAt  within  an.ea4  o £  competence  i4  pAovided  to 
ESV  PAogAam  0^ice4  ( P04 )  and  otheA  ESV  element4 
to  peA^oAm  elective  acqui4ition  orf  C3I  4y4tem4. 

The  aAea4  o<$  technical  competence  include 
communication ,  command  and  contAol.,  battle 
management,  infioAmation  pAoce44ing,  4uA veillance 
4en40A4,  intelligence  data  collection  and  handling, 
iclid  4tate  4cience4 ,  electAomagnetic4 ,  and 
pAopagation,  and  electAonic,  maintainability , 
and  compatibility. 


